Re: [WIRELESS-LAN] WinXP 802.1x and password changes

Mon, 25 Apr 2005 15:45:13 -0700 

Actually, a packet capture would likely be of little use.  What's most
likely different in the response from a FreeRADIUS server versus an IAS
server (that manifests itself in the does-a-user-get-a-password-prompt
question anyway) is the MSCHAPv2 response.  Since this response is
tunneled inside TLS, a packet capture would not show anything useful.

--Mike


King, Michael wrote:

Anyone have FreeRadius?  I'm sure this can answered with a packet
capture.  (The message the client is receiving)

-----Original Message-----
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego
Sent: Monday, April 25, 2005 3:56 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes

Are you running SBR on Windows doing full domain authentication?  I
wouldn't be surprised if SBR on Windows doing domain authentication is
using some of the same API services that IAS is causing it to have the
same difficulty.

--Mike

-----------------------------------
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas



King, Michael wrote:


Interesting.  I joined the list just because of this issue.

I'm running on Funk SBR and it does not appear that the client is
prompting for a new password.

Could it be in the answerback that the radius server is sending?

-----Original Message-----
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk
Sent: Monday, April 25, 2005 2:57 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes

I attend Mike Griego's excellent online webinar today (courtesy of
EDUCAUSE), and he said that with FreeRADIUS the WinXP client properly
prompts for a new password to be entered, which is not the case with
IAS.

Can anyone else confirm that?

Frank

-----Original Message-----
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk
Sent: Tuesday, January 25, 2005 10:49 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes

Can Mike and Katie report to the group what kind of access points and
software revisions they are running?

My aide in this diagnosis suspects it could be some kind of
communication flow between the AP and the client that causes some WLAN





systems to prompt for the credentials and others not to.

Regards,

Frank

-----Original Message-----
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Michael
Griego
Sent: Tuesday, January 25, 2005 10:57 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes

No problem.  If the credentials they use to login to their personal
machines (username and password only... domain/machine name is
discarded), then they can leave the "use my Windows login" box


checked.


 I have tested this and it does work.  Of course, if the credentials
get out of sync (perhaps by a password change in AD), then I suppose
it would produce the symptoms seen by Katy.  Removing the credentials
cache key in the registry, however, would not solve this problem.

Anyway, we don't tell our users to do this.  With the "use my Windows
login"
unchecked, even if the credentials happen to match, I have never seen
the XP supplicant *not* ask for credentials, so they should get asked
for their username and password in this scenario regardless.

--Mike

-----------------------------------
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas



Frank Bulk wrote:



Mike:

My apologies for misunderstanding your response.

What happens if their personal credentials match the network


credentials?



Frank

-----Original Message-----
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Michael
Griego
Sent: Tuesday, January 25, 2005 8:50 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes

Frank,

I very much understood Katy's question.  As for us, this is an issue
we simply have not run into.  I have always seen the XP supplicant
re-ask for credentials if its attempts to use cached credentials fail.
That's why I provided the link to our setup pages, in case our client
setups differed from hers in any way that could be helpful.  The only
time our help desk staff have had to perform the registry key removal
is if they have used their personal credentials to test authentication




and succeeded, causing the user's laptop to cache those credentials.

--Mike

-----------------------------------
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas



Frank Bulk wrote:




Mike:

Katie's question is not if 802.1x can be rolled out with AD, but
what's challenging her is that upon changing the password the user is





not re-asked for their credentials.  Is that an issue you've been
able




to


overcome?




Regards,

Frank

-----Original Message-----
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Michael
Griego
Sent: Tuesday, January 25, 2005 6:46 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes

Hi, Frank,

Actually, I would disagree with this statement.  We have the system
working quite well here at UTD.  Most of our students are using the
built in Windows supplicant on machines we have no control of, and
the




users are not authenticated off of our AD forest.

Take a look at
http://www.utdallas.edu/ir/cats/network/wlan/8021x/index.html.  This
is the instructions we give our users for setting up their OSes for


802.1x.




It includes instructions for WinXP, Win2K, MacOS 10.3+, and Linux.


--Mike

-----------------------------------
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas



Frank Bulk wrote:





Katie:

This is not from me, but from someone who has had experience with


this:



"Unless they have an Active Directory backend (and can therefore use





computer authentication and use their windows logon credentials for
802.1x) there isn't a good way to do it with the built-in Windows
client.  In this case it might be better to use a third-party
supplicant - Either Funk (which costs money) or the card manager
software built-in to most of the drivers these days.  Most
enterprises don't have this problem because they do have AD....but
universities are a whole different issue because they don't control
the


client PCs."



Frank

-----Original Message-----
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Katie
Christman
Sent: Monday, January 24, 2005 2:37 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WinXP 802.1x and password changes

We're in the midst of a pilot for wireless authentication here at


ND.


We've got 802.1x up and working, however we ran into a glitch when
using the built-in Windows XP 1x supplicant.  When a user changes
their password, it never prompts the user to re-type their
credentials, authentication just fails.  According to the MS
knowledgebase, this behavior was purposely designed this way.  The
only 2 ways we've found to force reauthentication are to either
delete the reg key that stores the cached credentials, or to remove
the 1x


connection and recreate it.





For those of you who are using the built-in XP supplicant with 1x -
how are you dealing with this behavior?

Thanks in advance,
Katie

--
-----------------------------
Katie Christman
University of Notre Dame
Office of Information Technologies
Notre Dame, IN 46556
Phone: 574.631.3130
Fax: 574.631.9883
Email: [EMAIL PROTECTED]
-----------------------------

**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at


http://www.educause.edu/groups/.





**********
Participation and subscription information for this EDUCAUSE
Constituent


Group discussion list can be found at


http://www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at


http://www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at


http://www.educause.edu/groups/.



**********
Participation and subscription information for this EDUCAUSE
Constituent


Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at


http://www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at


http://www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at


http://www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE


Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Reply via email to