Prelogin Wireless options?

RadiclDreamer · 11-08-2012, 10:21 AM

I've been using the intel proset wireless utility to have pre-login connection with XP machines. Now when trying to do the same thing with windows 7 it gives 2 separate login boxes which confuses our users.

What is the most simple way to accomplish pre login persistent connections with intel cards? My goal is to have the wireless behave like hardwired as much as is possible. I also need to make sure I leave the users the ability to select other wireless networks when away from the office, am I asking too much here or is this possible?

spidey07 · 11-08-2012, 10:33 AM

It's possible, you have windows login as a machine account/machine auth and then it will switch to user auth once they login. Of course you'll need to have all your RADIUS up to snuff to allow it to happen.

imagoon · 11-08-2012, 10:40 AM

Basically what spidey said:

Get RADIUS up, give the computer accounts wireless log in rights and they can log in. Certificates are by far better suited for this but GPO (i think been awhile) give "local systems" the wireless rights it needs to allow the computer accounts to log in (IE password / WPA2 settings etc). Once the user signs in, the wireless connection switches to user account.

Getting this set up correctly adds bonus points because the users windows account and password becomes wireless account and password, so the user never sees a login box, they just "automagically" end up on the wireless.

RadiclDreamer · 11-08-2012, 01:15 PM

Any idea how to setup computer accounts in Cisco Secure ACS? Thats what we use for auth currently

*Edit

I found in external user databases the option for allowing machine auth, but there is also a section that says exempt certain groups from machine auth. Does this mean if i enable machine auth that all users must pass machine auth before being allowed to do user auth as well?

RadiclDreamer · 11-12-2012, 09:25 AM

Bump

spidey07 · 11-12-2012, 09:32 AM

What version of ACS? The client is the one that decides to do machine or user auth, ACS just does a pass/no-pass on the auth request. To try to force machine and then user auth on top of it requires EAP chaining which is a very new concept and only in ISE I believe.

RadiclDreamer · 11-12-2012, 11:20 AM

Running 4.2 Appliance version. Really what I am looking for is the most simple way of having a device use generic credentials for auth and behave as close to wired as possible which was super easy with XP but Win7 has been a PITA about it.