SecureW2 Community

[curtiswaters]

Using either PEAP or TTLS - any supplicant -----

Is there a way to force machine authentication before user authentication? In use of Windows GINA under XP Pro clients - machine auth takes place, user login prompt (similar to NTLM logon).

However, if a user disconnects from the network later and then wishes to reconnect, a simple PEAP or TTLS login occurs without machine auth. While machine auth was designed as a method to facilitate the machine startup/network login process, can either W2003 Server or a GPO be developed to mandate machine authentication as well?

[hollmanak]

We are currently using machine auth for some of our lab/email bar wireless machines. To make sure we get a machine auth before the logon prompt we are using a group policy through gpedit.msc. Under Computer Config -> Administrative Templates -> System -> Logon, there is a setting called "Always wait for the network at computer startup and logon." By selecting this the computer is forced to look for a network connection (wired or wireless) before you get to the logon screen. If you have gone into the wireless properties and clicked the check box "Authenticate as computer when computer information is available" you should see a machine authentication going across before booting to the logon prompt.

[hollmanak]

We are currently using machine auth for some of our lab/email bar wireless machines. To make sure we get a machine auth before the logon prompt we are using a group policy through gpedit.msc. Under Computer Config -> Administrative Templates -> System -> Logon, there is a setting called "Always wait for the network at computer startup and logon." By selecting this the computer is forced to look for a network connection (wired or wireless) before you get to the logon screen. If you have gone into the wireless properties and clicked the check box "Authenticate as computer when computer information is available" you should see a machine authentication going across before booting to the logon prompt.