<p>I'm having the following &quot;is it possible&quot; question:<br/><br/>Setup: all servers are windows server 2003 R2 sp2 standard edition, clients are windows xp sp3<br/>* dc01: domain controller + radius<br/>* ca01: windows standard edition, enterprise certificate authority<br/>* wireless controller<br/>* xpclients<br/><br/>Currently the customer has an environment for which on a per user base wireless access is granted or not. This uses ms-chapv2. So when they connect to the wireless connection, initialy the user credentials are provided and validated by the RADIUS server.<br/><br/>Now they want to be able to use some form of computer-level authentication so the clients have a proper logon to the domain and so that logonscripts are executed nicely. This can be achieved with &quot;smartcard or certificate based&quot; authentication where all domain clients get a client certificate from the enterprise CA.<br/><br/>Now I was wondering how can we &quot;mix&quot; this approach: use the computer certificates for computer wireless authentication, and afterwards have per user security by using their password.<br/><br/>Is it:<br/><br/>A) possible to configure PEAP as authentication method (based on ms-chapv2) but still have wireless connection while the client is not yet logged in? Withouth using third party tools<br/><br/>B) possible to configure &quot;smart card or certificate&quot; as authentication method, have computers authenticate based on a client certificate, but still have some security group in AD which controls which users are allowed to &quot;reauthenticate&quot; to the wireless lan<br/><br/>C) I am aware that using user certificates we could achieve this. But then I wonder the following:<br/>C1) Can the default v1 user certificate template be autoenrolled? I'm aware that creating a custom user template (requires enterprise windows) would allow me to flag the autoenroll permission.  But I'm wondering if it's possible withouth having to manually enroll for each user a certificate. Even considering theyd all stick to their own portable.</p>© 2009 Microsoft Corporation. All rights reserved.Wed, 08 Jul 2009 09:27:04 Z25bee3e9-c10f-4ab5-bc36-e028ffe7fed5http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/25bee3e9-c10f-4ab5-bc36-e028ffe7fed5#25bee3e9-c10f-4ab5-bc36-e028ffe7fed5http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/25bee3e9-c10f-4ab5-bc36-e028ffe7fed5#25bee3e9-c10f-4ab5-bc36-e028ffe7fed5Thomas Vuylstekehttp://social.technet.microsoft.com/Profile/en-US/?user=Thomas%20Vuylsteke<p>I'm having the following &quot;is it possible&quot; question:<br/><br/>Setup: all servers are windows server 2003 R2 sp2 standard edition, clients are windows xp sp3<br/>* dc01: domain controller + radius<br/>* ca01: windows standard edition, enterprise certificate authority<br/>* wireless controller<br/>* xpclients<br/><br/>Currently the customer has an environment for which on a per user base wireless access is granted or not. This uses ms-chapv2. So when they connect to the wireless connection, initialy the user credentials are provided and validated by the RADIUS server.<br/><br/>Now they want to be able to use some form of computer-level authentication so the clients have a proper logon to the domain and so that logonscripts are executed nicely. This can be achieved with &quot;smartcard or certificate based&quot; authentication where all domain clients get a client certificate from the enterprise CA.<br/><br/>Now I was wondering how can we &quot;mix&quot; this approach: use the computer certificates for computer wireless authentication, and afterwards have per user security by using their password.<br/><br/>Is it:<br/><br/>A) possible to configure PEAP as authentication method (based on ms-chapv2) but still have wireless connection while the client is not yet logged in? Withouth using third party tools<br/><br/>B) possible to configure &quot;smart card or certificate&quot; as authentication method, have computers authenticate based on a client certificate, but still have some security group in AD which controls which users are allowed to &quot;reauthenticate&quot; to the wireless lan<br/><br/>C) I am aware that using user certificates we could achieve this. But then I wonder the following:<br/>C1) Can the default v1 user certificate template be autoenrolled? I'm aware that creating a custom user template (requires enterprise windows) would allow me to flag the autoenroll permission.  But I'm wondering if it's possible withouth having to manually enroll for each user a certificate. Even considering theyd all stick to their own portable.</p>Wed, 24 Jun 2009 19:38:53 Z2009-06-24T19:38:53Zhttp://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/25bee3e9-c10f-4ab5-bc36-e028ffe7fed5#b9b541db-9fd5-4f1f-a610-29e0b6ec61cfhttp://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/25bee3e9-c10f-4ab5-bc36-e028ffe7fed5#b9b541db-9fd5-4f1f-a610-29e0b6ec61cfSrini MSFThttp://social.technet.microsoft.com/Profile/en-US/?user=Srini%20MSFTHi,<br/><br/>Have you considered using Machine or User mode authentication mentioned here <a href="http://msdn.microsoft.com/en-us/library/ms706279(VS.85).aspx">http://msdn.microsoft.com/en-us/library/ms706279(VS.85).aspx</a>. With PEAP-MSCHAPV2  and Machine or User auth, I think you should be accomplish this.<br/><br/>Thanks,Sat, 27 Jun 2009 00:48:03 Z2009-06-27T00:48:03Zhttp://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/25bee3e9-c10f-4ab5-bc36-e028ffe7fed5#17741539-5f11-4097-b1fd-193f1f65e13dhttp://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/25bee3e9-c10f-4ab5-bc36-e028ffe7fed5#17741539-5f11-4097-b1fd-193f1f65e13dThomas Vuylstekehttp://social.technet.microsoft.com/Profile/en-US/?user=Thomas%20Vuylsteke<p>We ended up using MS-Chapv2 with machine and user authentication. It worked fine as you described it.<br/><br/>thnx!</p>Wed, 08 Jul 2009 09:27:04 Z2009-07-08T09:27:04Z