I seem to recall from my Bluesocket training a term called "machine level" authentication. Basically, this was setting up a wireless network in such a way that domained machines would have the necessary access to domain resources during boot up but prior to user login. It is my understanding that network shares and group policy updates don't typically get pushed out to domained machines when they boot up while on a wireless connection. The client doesn't complete the association to the remembered wireless AP until after the computer boots and the user logs in.
Currently, I have several similar small business offices where we deploy a NV3448 router along with a couple NV160s. The NV3448 is the controller of the NV160s. The NV160s are performing a wireless bridging function of the wireless devices to the data network. In most of these circumstances, the wireless network is part of the same broadcast domain as the wired network. Currently we are just implementing "security mode wpa tkip aes-ccmp psk passkey"
Since the Microsoft DC (typically 2008 R2 or now we have a few on 2012) is aware of the domained devices, it is my understanding that things can be setup to allow this "machine level" authentication to occur which grants domained only workstations/laptops access. This is typically some sort of basic level domain access just so it can gain the necessary GP updates and access to shared resources. I realize that many other resources will not be granted until the user authenticates at login.
My questions:
1. Is this a very common problem?
2. If so, then is machine level authentication a viable answer?
3. How does machine level authentication work and can I easily implement in the situation described?
4. When using machine level authentication, how does wireless link encryption get deployed/setup?
Thank you!
- I believe you can use 802.1x to have domain parameters sent to PCs wirelessly. However, as far as the NetVanta goes, the controller simply needs to be set up to forward the authentication requests to/from the Radius server. The guide below explains how to set up a radius server when using a NetVanta 160/161 access point:
https://supportforums.adtran.com/docs/DOC-5309
The only other caveat you may run into is that the client will need to be joined to the domain at least once before it attempts to authenticate wirelessly.
Let us know if you have any questions.
Thanks,
Noor
Are you referring to 802.1x?
I know Bluesocket can do this but I don't think the NV wireless can, or maybe it's a CLI only thing.
- I believe you can use 802.1x to have domain parameters sent to PCs wirelessly. However, as far as the NetVanta goes, the controller simply needs to be set up to forward the authentication requests to/from the Radius server. The guide below explains how to set up a radius server when using a NetVanta 160/161 access point:
https://supportforums.adtran.com/docs/DOC-5309
The only other caveat you may run into is that the client will need to be joined to the domain at least once before it attempts to authenticate wirelessly.
Let us know if you have any questions.
Thanks,
Noor
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Levi