Anyone have FreeRadius? I'm sure this can answered with a packet
capture. (The message the client is receiving)
-----Original Message-----
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego
Sent: Monday, April 25, 2005 3:56 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
Are you running SBR on Windows doing full domain authentication? I
wouldn't be surprised if SBR on Windows doing domain authentication is
using some of the same API services that IAS is causing it to have the
same difficulty.
--Mike
-----------------------------------
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
King, Michael wrote:
Interesting. I joined the list just because of this issue.
I'm running on Funk SBR and it does not appear that the client is
prompting for a new password.
Could it be in the answerback that the radius server is sending?
-----Original Message-----
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk
Sent: Monday, April 25, 2005 2:57 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
I attend Mike Griego's excellent online webinar today (courtesy of
EDUCAUSE), and he said that with FreeRADIUS the WinXP client properly
prompts for a new password to be entered, which is not the case with
IAS.
Can anyone else confirm that?
Frank
-----Original Message-----
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk
Sent: Tuesday, January 25, 2005 10:49 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
Can Mike and Katie report to the group what kind of access points and
software revisions they are running?
My aide in this diagnosis suspects it could be some kind of
communication flow between the AP and the client that causes some WLAN
systems to prompt for the credentials and others not to.
Regards,
Frank
-----Original Message-----
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Michael
Griego
Sent: Tuesday, January 25, 2005 10:57 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
No problem. If the credentials they use to login to their personal
machines (username and password only... domain/machine name is
discarded), then they can leave the "use my Windows login" box
checked.
I have tested this and it does work. Of course, if the credentials
get out of sync (perhaps by a password change in AD), then I suppose
it would produce the symptoms seen by Katy. Removing the credentials
cache key in the registry, however, would not solve this problem.
Anyway, we don't tell our users to do this. With the "use my Windows
login"
unchecked, even if the credentials happen to match, I have never seen
the XP supplicant *not* ask for credentials, so they should get asked
for their username and password in this scenario regardless.
--Mike
-----------------------------------
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Frank Bulk wrote:
Mike:
My apologies for misunderstanding your response.
What happens if their personal credentials match the network
credentials?
Frank
-----Original Message-----
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Michael
Griego
Sent: Tuesday, January 25, 2005 8:50 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
Frank,
I very much understood Katy's question. As for us, this is an issue
we simply have not run into. I have always seen the XP supplicant
re-ask for credentials if its attempts to use cached credentials fail.
That's why I provided the link to our setup pages, in case our client
setups differed from hers in any way that could be helpful. The only
time our help desk staff have had to perform the registry key removal
is if they have used their personal credentials to test authentication
and succeeded, causing the user's laptop to cache those credentials.
--Mike
-----------------------------------
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Frank Bulk wrote:
Mike:
Katie's question is not if 802.1x can be rolled out with AD, but
what's challenging her is that upon changing the password the user is
not re-asked for their credentials. Is that an issue you've been
able
to
overcome?
Regards,
Frank
-----Original Message-----
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Michael
Griego
Sent: Tuesday, January 25, 2005 6:46 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
Hi, Frank,
Actually, I would disagree with this statement. We have the system
working quite well here at UTD. Most of our students are using the
built in Windows supplicant on machines we have no control of, and
the
users are not authenticated off of our AD forest.
Take a look at
http://www.utdallas.edu/ir/cats/network/wlan/8021x/index.html. This
is the instructions we give our users for setting up their OSes for
802.1x.
It includes instructions for WinXP, Win2K, MacOS 10.3+, and Linux.
--Mike
-----------------------------------
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Frank Bulk wrote:
Katie:
This is not from me, but from someone who has had experience with
this:
"Unless they have an Active Directory backend (and can therefore use
computer authentication and use their windows logon credentials for
802.1x) there isn't a good way to do it with the built-in Windows
client. In this case it might be better to use a third-party
supplicant - Either Funk (which costs money) or the card manager
software built-in to most of the drivers these days. Most
enterprises don't have this problem because they do have AD....but
universities are a whole different issue because they don't control
the
client PCs."
Frank
-----Original Message-----
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Katie
Christman
Sent: Monday, January 24, 2005 2:37 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WinXP 802.1x and password changes
We're in the midst of a pilot for wireless authentication here at
ND.
We've got 802.1x up and working, however we ran into a glitch when
using the built-in Windows XP 1x supplicant. When a user changes
their password, it never prompts the user to re-type their
credentials, authentication just fails. According to the MS
knowledgebase, this behavior was purposely designed this way. The
only 2 ways we've found to force reauthentication are to either
delete the reg key that stores the cached credentials, or to remove
the 1x
connection and recreate it.
For those of you who are using the built-in XP supplicant with 1x -
how are you dealing with this behavior?
Thanks in advance,
Katie
--
-----------------------------
Katie Christman
University of Notre Dame
Office of Information Technologies
Notre Dame, IN 46556
Phone: 574.631.3130
Fax: 574.631.9883
Email: [EMAIL PROTECTED]
-----------------------------
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent
Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.