Another way to achieve this is to use an 802.1x client with a GINA module. Immediately after you enter your credentials in the Windows login screen, the GINA module takes control and pauses the windows login process. It uses the user's windows credentials to connect the user to the network and, once the connection is complete, returns control to the windows login process.
I use this method very successfully at home and at work. It totally removes the need for any credentials associated with the machine. I strongly recommend it. The downside, you can't do it with the default MS 802.1x supplicant. :-( Rgds, Guy > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of King, Michael > Sent: 28 April 2005 20:48 > To: freeradius-users@lists.freeradius.org > Subject: RE: 802.1x and authenticating machine account > > > Alan DeKok wrote: > What's so special about machine authentication? > > Short Version. (Forgive my use of nomenclature) > > When your sitting at a logon prompt at windows (Hit > CTRL-ALT-DELETE), it (the client machine) has no user > credentials to perform an 802.1x session. Hence, it has no > network access to talk to a domain controller to verified the > given credentials to allow access to the machine. Classic > Chicken and Egg argument. > > Using Computer Accounts, the client computer authenticates > using it's Active Directory Computer Account. (Usually given > as host/ComputerName) It now has Network access. When a > client attempts a logon, it can reach the Domain Server to > perform the authentication. When the User Desktop comes up, > Windows XP drops the computer account credentials, and > performs a new 802.1x session using the client's credentials. > > It allows a person to logon to a Windows 2000/XP laptop > without having to depend on having a cached logon. (Cached > Logon = You logged on successfully to the computer before, so > the client machine allows it now, because it can not > communicate with the domain controller) > > I think that covers it. > > Mike > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
