locked
802.1x new domain users are unable to authenticate to the domain server RRS feed

  • Question

  • I have setup a Radius server and it is working successfully except for one problem.  If I add a new user to the Domain or if an existing user logs onto a PC that they have never logged on before they receive an error "The system cannot log you on because the % domain is not available".

    I setup the Radius to allow all Domain users and if they have already logged into a PC and there Domain account is cached on the PC they can connect and authenticate.

    I then setup the Radius Server to authenticate by computer only and this works for the user's either way.  So I can successfully deploy it this way, but the client really wants it to be setup by AD Username.  I have tried to tell the "dot3srv" services to start first in order to do the authentication but this does not seem to be helping.  I do not receive any logs on the server (Windows 2008 R2) that even show the client PC attempting to log in.

    Does anyone have any idea about what I am missing?

    Thanks,

    Greg

    Monday, January 31, 2011 8:53 PM

Answers

  • Hi Greg,

     

    Thanks for posting here.

     

    Yes, we’d suggest to perform computer authentication first , so that computer could access network and connect with domain controller for acquire new logon user information . After new user logon processing complete then switch to user authentication method.

    This could be implemented with set different authentication method in computer and user group policy configuration.

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, February 1, 2011 7:02 AM
  • I figured it out.  In the network dialog of Windows 7 under the Authentication tab there is a box that says allow single sign on and to try before or after.  I changed this to try after and now the Machine logs in successfully once the user logs on then the users authentication takes over.  I also though that the default XP settings would be "machineOrUser" I found this to be incorrect.  Once I specified this I was able to get the XP machine working also!  Thanks for the direction on this guys!
    Tuesday, February 1, 2011 4:37 PM

All replies

  • Hi Greg

    I am having a random theory here so bear with me :) your radius/NPS server does not allow access to the network (which also means access to the Domains AD authenticating server by the user) untill user has been authenticated, now an old user has cached their credentials so quickly logs on to the machine WITHOUT having to be authenticated by the Radius or Active Directory Server (sometimes :] ) and the network starts authenticating with your radius server so as to gain access to the network and the little computers show connected!!

    A new user now when trying to log on to the domain when he is not yet allowed access to the network will probably get the domain is not available error msg because the machine cannot connect to the network, beacuse user hasnt logged on to the computer, because domain is unavailable becuase user hasnt been authorised by the radius server to connect -  remember not allowed access to the network yet untill authenticated.

    And an old user logging on to a new computer same thing, no cached credentials in machine, so they cannot log on to the domain because no authorization from radius server to access network, so no domain available.

    i hope this makes sense i was getting confused myself when i read it back to myself.. i have since stopped doing that... i think authenticating by computer only is the best alternative and use AD credentials for 802.1x wireless :)


    tech-nique
    Monday, January 31, 2011 9:34 PM
  • Hi Greg,

     

    Thanks for posting here.

     

    Yes, we’d suggest to perform computer authentication first , so that computer could access network and connect with domain controller for acquire new logon user information . After new user logon processing complete then switch to user authentication method.

    This could be implemented with set different authentication method in computer and user group policy configuration.

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, February 1, 2011 7:02 AM
  • tech-nique,

    I am 100% on the same thinking plan as you are with this.  It was my understanding though that 802.1x when configured should first send a user/pass to the Radius server to do a pre-authentication but it does not appear to be happening.


    Tiger Li,

    What I found is if I have an XP machine or even a 7 machine configured for "Machine or User" and I have the settings for both that the machines want to send the user/pass and not the machine info first so it ends up failing the authentication.  Is there a way that I can specify to have the machine first send the machine request and then send the user request?


    Basically when I try this I can see the log in the NPS that goes to the computer authentication and the credentials are the userid/pass so it fails and shuts down the network.  This is happening even when I tell the dot3srv to start first.  If I try user authentication only then I see no logs at all in the NPS it is as if it won't even try to let the user authenticate.  When I look at wireshark data from the port I can see the client machine send an ack out to the server I see the server responds and then responds again but the client does not appear to be receiving the response so it acks again until it finally times out.

    Thanks,

    Greg

    Tuesday, February 1, 2011 1:44 PM
  • I figured it out.  In the network dialog of Windows 7 under the Authentication tab there is a box that says allow single sign on and to try before or after.  I changed this to try after and now the Machine logs in successfully once the user logs on then the users authentication takes over.  I also though that the default XP settings would be "machineOrUser" I found this to be incorrect.  Once I specified this I was able to get the XP machine working also!  Thanks for the direction on this guys!
    Tuesday, February 1, 2011 4:37 PM
  • Hello,

    We are also facing the same issue, can you tell me how did you fix this issue in Windows XP SP2? I could notice some settings for this in Win 7 OS only. Please advise next steps to resolve this issue. Thanks in advance.

    Monday, June 6, 2011 1:47 PM
  • The only way I was able to make it work on an XP machine was to edit the Local Area Connection XML.  I used a batch script to update this.  Below is my script and my xml connection file.  I found this very easy the batch script also enabled the Auto Wired config services on the PC.  Hopefully this works for you.

     

    --- Batch ---

    xcopy "Local Area Connection.xml" C:\

    sc config Dot3svc start= auto

    net start Dot3svc

    netsh lan add Profile filename="C:\Local Area Connection.xml"

    pause

    --- Local Area Connection XML File - Name this Local Area Connection.xml ---

    <?xml version="1.0"?>
    <LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1">
     <MSM>
      <security>
       <OneXEnforced>false</OneXEnforced>
       <OneXEnabled>true</OneXEnabled>
       <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
        <cacheUserData>true</cacheUserData>
        <authMode>machineOrUser</authMode>
        <EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><ConfigBlob>010000007C000000010000000100000001000000530000001700000000000000570049004E002D003800360047004400370035003500460041004D004F002E005300530049005200410044004900550053002E004C004F00430041004C00000001000000170000001A00000001000000020000000000000000000000</ConfigBlob></EapHostConfig></EAPConfig>
       </OneX>
      </security>
     </MSM>
    </LANProfile>

    Tuesday, June 7, 2011 8:54 PM