Discussion:
Troubles with Machine Authentication with EAP-TLS
(too old to reply)
Phil
2005-01-28 19:47:04 UTC
Permalink
I have all Windows 2000 server and Windows 2000 clients running sp4 with
Cisco 1100 access points. I have an internal certificate server and pushing
out machine certs via GPO and user certs manually imported from the web page.
Using IAS RADIUS server for authentication.

On the client I have Network Authentication set to WPA and Data Encryption
set to AUTO. On the Authentication Tab the EAP Method is TLS and the
certificate is the user certificate (***@domain.com) and do not have
validate server certificate enabled. The Wireless Configuration service is
set to AUTOMATIC but status is blank, not started. Once service is manually
started the Authentication Tab in the network connection is set to Smart Card
or other Certificate and the Authenticate as computer when computer
information is available is check marked.

For the IAS policy I have a wireless policy that contains a WirelessAccess
group that contains both users and computer accounts from AD.

Before logon there is no network connection but after the user logs on the
connection is authenticated and brought up. In the RADIUS logs I am getting
the message of DOMAIN\comptuer.domain.com NO SUCH USER for the computer
authentication.

What am I doing wrong and how do I get the machine to connect to the
network, pull an IP address before the user logs on?
Wayne Tilton
2005-01-28 21:38:48 UTC
Permalink
Post by Phil
I have all Windows 2000 server and Windows 2000 clients running sp4
with Cisco 1100 access points. I have an internal certificate server
and pushing out machine certs via GPO and user certs manually imported
from the web page.
Using IAS RADIUS server for authentication.
On the client I have Network Authentication set to WPA and Data
Encryption set to AUTO. On the Authentication Tab the EAP Method is
and do not have validate server certificate enabled. The Wireless
Configuration service is set to AUTOMATIC but status is blank, not
started. Once service is manually started the Authentication Tab in
the network connection is set to Smart Card or other Certificate and
the Authenticate as computer when computer information is available is
check marked.
For the IAS policy I have a wireless policy that contains a
WirelessAccess group that contains both users and computer accounts
from AD.
Before logon there is no network connection but after the user logs on
the connection is authenticated and brought up. In the RADIUS logs I
am getting the message of DOMAIN\comptuer.domain.com NO SUCH USER for
the computer authentication.
What am I doing wrong and how do I get the machine to connect to the
network, pull an IP address before the user logs on?
In order for machine authentication to work with EAP/TLS, the machine
certficate must contain the dnsHostName of the machine in the Subject
Alternate Name attribute of the certificate. The dnsHostName attribute
on the computer object in AD must match the Primary DNS Suffix configured
for the computer AND it must match the DNS domain of AD. So, if your AD
domain is named 'mycompany.com' and your computer is named 'mycomputer',
the Primary DNS Suffix on the computer must be set to 'mycompany.com' AND
the dnsHostName attribute on the computer object in AD must be
'mycomputer.mycompany.com'.

HTH,

Wayne Tilton
Phil
2005-01-28 22:19:05 UTC
Permalink
Set the DNS suffix on the laptop and tried again but had no luck.

Here is what I am getting in the IAS server log:

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 1/28/2005
Time: 4:09:39 PM
User: N/A
Computer: GR-DATA
Description:
User gr-laptop-23.domain.com was denied access.
Fully-Qualified-User-Name = DOMAIN\gr-laptop-23.domain.com
NAS-IP-Address = 192.168.3.48
NAS-Identifier = GR-ISAP-01
Called-Station-Identifier = 0040.96a0.eb2d
Calling-Station-Identifier = 0090.4bb2.a8b6
Client-Friendly-Name = gr-isap
Client-IP-Address = 192.168.3.48
NAS-Port-Type = 19
NAS-Port = 500
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user does not exist.



Digging back in the event log it does look like it worked at one point but I
have no idea how. Here is the event log for the one time it register ok.
The odd thing I see is that it has user host/computername where as the ones
that don't work have only user computername. ALso the FQDN is COMPUTERNAME$
where as the one that does not work is the FQDN.

Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 1/28/2005
Time: 3:47:58 PM
User: N/A
Computer: GR-DATA
Description:
User host/gr-laptop-23.domain.com was granted access.
Fully-Qualified-User-Name = DOMAIN\GR-LAPTOP-23$
NAS-IP-Address = 192.168.3.48
NAS-Identifier = GR-ISAP-01
Client-Friendly-Name = gr-isap
Client-IP-Address = 192.168.3.48
NAS-Port-Type = 19
NAS-Port = 477
Policy-Name = Wireless Access Policy
Authentication-Type = EAP
EAP-Type = Smart Card or other Certificate
Post by Wayne Tilton
Post by Phil
I have all Windows 2000 server and Windows 2000 clients running sp4
with Cisco 1100 access points. I have an internal certificate server
and pushing out machine certs via GPO and user certs manually imported
from the web page.
Using IAS RADIUS server for authentication.
On the client I have Network Authentication set to WPA and Data
Encryption set to AUTO. On the Authentication Tab the EAP Method is
and do not have validate server certificate enabled. The Wireless
Configuration service is set to AUTOMATIC but status is blank, not
started. Once service is manually started the Authentication Tab in
the network connection is set to Smart Card or other Certificate and
the Authenticate as computer when computer information is available is
check marked.
For the IAS policy I have a wireless policy that contains a
WirelessAccess group that contains both users and computer accounts
from AD.
Before logon there is no network connection but after the user logs on
the connection is authenticated and brought up. In the RADIUS logs I
am getting the message of DOMAIN\comptuer.domain.com NO SUCH USER for
the computer authentication.
What am I doing wrong and how do I get the machine to connect to the
network, pull an IP address before the user logs on?
In order for machine authentication to work with EAP/TLS, the machine
certficate must contain the dnsHostName of the machine in the Subject
Alternate Name attribute of the certificate. The dnsHostName attribute
on the computer object in AD must match the Primary DNS Suffix configured
for the computer AND it must match the DNS domain of AD. So, if your AD
domain is named 'mycompany.com' and your computer is named 'mycomputer',
the Primary DNS Suffix on the computer must be set to 'mycompany.com' AND
the dnsHostName attribute on the computer object in AD must be
'mycomputer.mycompany.com'.
HTH,
Wayne Tilton
Wayne Tilton
2005-02-01 18:40:30 UTC
Permalink
"=?Utf-8?B?UGhpbA==?=" <***@discussions.microsoft.com> wrote in news:6EC699B0-C8EB-4EE1-AB4D-***@microsoft.com:

What is the value of dnsHostName on the computer object? That is what IAS
uses to look up the computer account and when it works, the 'Fully-
Qualifed-User-Name' value in the event would be the canonical name of the
computer object (e.g. domain.com/Computers/GR-LAPTOP-23 or whereever the
computer object is located in your directory). Also, once you have the
Primary DNS Suffix set correctly on the computer and the dnsHostName
attribute matches, you need to request a new certificate.

I'm not positive, but you may also need to insure that the
servicePrincipalName on the computer object is set correctly. It should
contain two values:

HOST/GR-LAPTOP-23
HOST/gr-laptop.domain.com

The reason I say that is on a successful authentication, the 1st line of
the IAS message includes the servicePrincipalName of the computer.

HTH,

Wayne
Post by Phil
Set the DNS suffix on the laptop and tried again but had no luck.
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 1/28/2005
Time: 4:09:39 PM
User: N/A
Computer: GR-DATA
User gr-laptop-23.domain.com was denied access.
Fully-Qualified-User-Name = DOMAIN\gr-laptop-23.domain.com
NAS-IP-Address = 192.168.3.48
NAS-Identifier = GR-ISAP-01
Called-Station-Identifier = 0040.96a0.eb2d
Calling-Station-Identifier = 0090.4bb2.a8b6
Client-Friendly-Name = gr-isap
Client-IP-Address = 192.168.3.48
NAS-Port-Type = 19
NAS-Port = 500
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user does not exist.
Digging back in the event log it does look like it worked at one point
but I have no idea how. Here is the event log for the one time it
register ok. The odd thing I see is that it has user
host/computername where as the ones that don't work have only user
computername. ALso the FQDN is COMPUTERNAME$ where as the one that
does not work is the FQDN.
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 1/28/2005
Time: 3:47:58 PM
User: N/A
Computer: GR-DATA
User host/gr-laptop-23.domain.com was granted access.
Fully-Qualified-User-Name = DOMAIN\GR-LAPTOP-23$
NAS-IP-Address = 192.168.3.48
NAS-Identifier = GR-ISAP-01
Client-Friendly-Name = gr-isap
Client-IP-Address = 192.168.3.48
NAS-Port-Type = 19
NAS-Port = 477
Policy-Name = Wireless Access Policy
Authentication-Type = EAP
EAP-Type = Smart Card or other Certificate
Post by Wayne Tilton
Post by Phil
I have all Windows 2000 server and Windows 2000 clients running sp4
with Cisco 1100 access points. I have an internal certificate
server and pushing out machine certs via GPO and user certs
manually imported from the web page.
Using IAS RADIUS server for authentication.
On the client I have Network Authentication set to WPA and Data
Encryption set to AUTO. On the Authentication Tab the EAP Method
is TLS and the certificate is the user certificate
enabled. The Wireless Configuration service is set to AUTOMATIC
but status is blank, not started. Once service is manually started
the Authentication Tab in the network connection is set to Smart
Card or other Certificate and the Authenticate as computer when
computer information is available is check marked.
For the IAS policy I have a wireless policy that contains a
WirelessAccess group that contains both users and computer accounts
from AD.
Before logon there is no network connection but after the user logs
on the connection is authenticated and brought up. In the RADIUS
logs I am getting the message of DOMAIN\comptuer.domain.com NO SUCH
USER for the computer authentication.
What am I doing wrong and how do I get the machine to connect to
the network, pull an IP address before the user logs on?
In order for machine authentication to work with EAP/TLS, the machine
certficate must contain the dnsHostName of the machine in the Subject
Alternate Name attribute of the certificate. The dnsHostName
attribute on the computer object in AD must match the Primary DNS
Suffix configured for the computer AND it must match the DNS domain
of AD. So, if your AD domain is named 'mycompany.com' and your
computer is named 'mycomputer', the Primary DNS Suffix on the
computer must be set to 'mycompany.com' AND the dnsHostName attribute
on the computer object in AD must be 'mycomputer.mycompany.com'.
HTH,
Wayne Tilton
Phil
2005-02-02 16:51:03 UTC
Permalink
Wayne,

Thanks for all the help on this problem. I am just not seeing what I am
getting wrong.

Here is the info I can get for you on this machine.

The OU that this machine sits in Active Directory is:
Domain.com/GR/Computers/Managed-Laptop

Usind the LDP.exe tool I get this information on that laptop object
Post by Wayne Tilton
Dn: CN=GR-LAPTOP-23,OU=Managed-Laptop,OU=Computers,OU=GR,DC=domain,DC=com
1> canonicalName: domain.com/GR/Computers/Managed-Laptop/GR-LAPTOP-23;
1> cn: GR-LAPTOP-23;
1> distinguishedName:
CN=GR-LAPTOP-23,OU=Managed-Laptop,OU=Computers,OU=GR,DC=domain,DC=com;
5> objectClass: top; person; organizationalPerson; user; computer;
1> name: GR-LAPTOP-23;

run dsstore -macobj domain\gr-laptop-23$
Attribute : dNSHostName
gr-laptop-23.domain.com

Attribute : objectCategory
CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=com

Attribute : sAMAccountName
GR-LAPTOP-23$

Attribute : servicePrincipalName
HOST/GR-LAPTOP-23
HOST/gr-laptop-23.domain.com

Attribute : userAccountControl
4096

Group Memberships:
WirelessAccess
Domain Computers
Post by Wayne Tilton
What is the value of dnsHostName on the computer object? That is what IAS
uses to look up the computer account and when it works, the 'Fully-
Qualifed-User-Name' value in the event would be the canonical name of the
computer object (e.g. domain.com/Computers/GR-LAPTOP-23 or whereever the
computer object is located in your directory). Also, once you have the
Primary DNS Suffix set correctly on the computer and the dnsHostName
attribute matches, you need to request a new certificate.
I'm not positive, but you may also need to insure that the
servicePrincipalName on the computer object is set correctly. It should
HOST/GR-LAPTOP-23
HOST/gr-laptop.domain.com
The reason I say that is on a successful authentication, the 1st line of
the IAS message includes the servicePrincipalName of the computer.
HTH,
Wayne
Set the DNS suffix on the laptop and tried again but had no luck.
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 1/28/2005
Time: 4:09:39 PM
User: N/A
Computer: GR-DATA
User gr-laptop-23.domain.com was denied access.
Fully-Qualified-User-Name = DOMAIN\gr-laptop-23.domain.com
NAS-IP-Address = 192.168.3.48
NAS-Identifier = GR-ISAP-01
Called-Station-Identifier = 0040.96a0.eb2d
Calling-Station-Identifier = 0090.4bb2.a8b6
Client-Friendly-Name = gr-isap
Client-IP-Address = 192.168.3.48
NAS-Port-Type = 19
NAS-Port = 500
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user does not exist.
Digging back in the event log it does look like it worked at one point
but I have no idea how. Here is the event log for the one time it
register ok. The odd thing I see is that it has user
host/computername where as the ones that don't work have only user
computername. ALso the FQDN is COMPUTERNAME$ where as the one that
does not work is the FQDN.
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 1/28/2005
Time: 3:47:58 PM
User: N/A
Computer: GR-DATA
User host/gr-laptop-23.domain.com was granted access.
Fully-Qualified-User-Name = DOMAIN\GR-LAPTOP-23$
NAS-IP-Address = 192.168.3.48
NAS-Identifier = GR-ISAP-01
Client-Friendly-Name = gr-isap
Client-IP-Address = 192.168.3.48
NAS-Port-Type = 19
NAS-Port = 477
Policy-Name = Wireless Access Policy
Authentication-Type = EAP
EAP-Type = Smart Card or other Certificate
Post by Wayne Tilton
Post by Phil
I have all Windows 2000 server and Windows 2000 clients running sp4
with Cisco 1100 access points. I have an internal certificate
server and pushing out machine certs via GPO and user certs
manually imported from the web page.
Using IAS RADIUS server for authentication.
On the client I have Network Authentication set to WPA and Data
Encryption set to AUTO. On the Authentication Tab the EAP Method
is TLS and the certificate is the user certificate
enabled. The Wireless Configuration service is set to AUTOMATIC
but status is blank, not started. Once service is manually started
the Authentication Tab in the network connection is set to Smart
Card or other Certificate and the Authenticate as computer when
computer information is available is check marked.
For the IAS policy I have a wireless policy that contains a
WirelessAccess group that contains both users and computer accounts
from AD.
Before logon there is no network connection but after the user logs
on the connection is authenticated and brought up. In the RADIUS
logs I am getting the message of DOMAIN\comptuer.domain.com NO SUCH
USER for the computer authentication.
What am I doing wrong and how do I get the machine to connect to
the network, pull an IP address before the user logs on?
In order for machine authentication to work with EAP/TLS, the machine
certficate must contain the dnsHostName of the machine in the Subject
Alternate Name attribute of the certificate. The dnsHostName
attribute on the computer object in AD must match the Primary DNS
Suffix configured for the computer AND it must match the DNS domain
of AD. So, if your AD domain is named 'mycompany.com' and your
computer is named 'mycomputer', the Primary DNS Suffix on the
computer must be set to 'mycompany.com' AND the dnsHostName attribute
on the computer object in AD must be 'mycomputer.mycompany.com'.
HTH,
Wayne Tilton
Wayne Tilton
2005-02-02 21:35:36 UTC
Permalink
"=?Utf-8?B?UGhpbA==?=" <***@discussions.microsoft.com> wrote in news:75D6582A-2626-491F-8B31-***@microsoft.com:

First, do yourself (and me) a favor and go to www.joeware.net and pick up a
copy of Joe's free adfind command. It is a much more useful way to view
attributes. The command:

adfind -default -f samaccountname=gr-laptop-23$

Will dump all the attributes on the object in one command in a very
readable format.

Second, we need to see what is actually in the certificate you're trying to
use. If you open the certificate in the MMC, click on the Details tab and
then select Copy to file... button, you can export the cert to a disk file,
which you can then dump using:

certutil -dump whateveryoucalledit.cer

Post the results of the adfind and certutil commands and we may be able to
see what has gone wrong.

Wayne
Post by Phil
Wayne,
Thanks for all the help on this problem. I am just not seeing what I
am getting wrong.
Here is the info I can get for you on this machine.
Domain.com/GR/Computers/Managed-Laptop
Usind the LDP.exe tool I get this information on that laptop object
CN=GR-LAPTOP-23,OU=Managed-Laptop,OU=Computers,OU=GR,DC=domain,DC=com
CN=GR-LAPTOP-23,OU=Managed-Laptop,OU=Computers,OU=GR,DC=domain,DC=com;
5> objectClass: top; person; organizationalPerson; user;
computer; 1> name: GR-LAPTOP-23;
run dsstore -macobj domain\gr-laptop-23$
Attribute : dNSHostName
gr-laptop-23.domain.com
Attribute : objectCategory
CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=com
Attribute : sAMAccountName
GR-LAPTOP-23$
Attribute : servicePrincipalName
HOST/GR-LAPTOP-23
HOST/gr-laptop-23.domain.com
Attribute : userAccountControl
4096
WirelessAccess
Domain Computers
Phil
2005-02-02 22:31:03 UTC
Permalink
OK here is the results of adfind::

Using server: GR-DATA.domain.com
Directory: Windows 2000
Base DN: DC=domain,DC=com

dn:CN=GR-LAPTOP-23,OU=Managed-Laptop,OU=Computers,OU=GR,DC=domain,DC=com
memberOf: CN=WirelessAccess,OU=Groups,DC=domain,DC=com
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
cn: GR-LAPTOP-23
countryCode: 0
displayName: GR-LAPTOP-23$
dNSHostName: gr-laptop-23.domain.com
instanceType: 4
isCriticalSystemObject: FALSE
lastLogoff: 0
lastLogon: 127518516769952079
logonCount: 28
netbootGUID: {4C4C4544-0053-5010-8032-B2C04F333331}
netbootInitialization: \\GR-DATA\REMINST\Setup\English\IMAGES\WIN2000_SP4.PRO
distinguishedName: CN=GR-LAPTOP-23,OU=Managed-Laptop,OU=Computers,OU=GR,DC=domain,DC=com
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
objectGUID: {A3AC9949-6D2B-47EE-AC1F-CE0FB3AE5BFE}
objectSid: S-1-5-21-54814608-1071128794-317593308-2764
operatingSystem: Windows 2000 Professional
operatingSystemServicePack: Service Pack 4
operatingSystemVersion: 5.0 (2195)
primaryGroupID: 515
pwdLastSet: 127495969246250000
name: GR-LAPTOP-23
sAMAccountName: GR-LAPTOP-23$
sAMAccountType: 805306369
servicePrincipalName: HOST/GR-LAPTOP-23
servicePrincipalName: HOST/gr-laptop-23.domain.com
userAccountControl: 4096
uSNChanged: 1444267
uSNCreated: 1200102
whenChanged: 20050127200635.0Z
whenCreated: 20041117153917.0Z
userCertificate: 3082 0611 3082 05BB A003 0201 0202 0A75 E105 0400 0000 0000 5030 0D06 092A 8648 86F7 0D01 0105 0500 3081 AA31 2B30 2906 092A 8648 86F7 0D01 0901 161C 6164 6D69 6E69 7374 7261 746F 7240 6164 7661 6E63 6570 6B67 2E63 6F6D 310B 3009 0603 5504 0613 0255 5331 0B30 0906 0355 0408 1302 4D49 3115 3013 0603 5504 0713 0C47 7261 6E64 2052 6170 6964 7331 2630 2406 0355 040A 131D 4164 7661 6E63 6520 5061 636B 6167 696E 6720 436F 7270 6F72 6174 696F 6E31 2230 2006 0355 0403 1319 4150 4320 4365 7274 6966 6963 6174 6520 4175 7468 6F72 6974 7930 1E17 0D30 3530 3132 3731 3632 3735 385A 170D 3036 3031 3237 3136 3237 3538 5A30 2631 2430 2206 0355 0403 131B 6772 2D6C 6170 746F 702D 3233 2E61 6476 616E 6365 706B 672E 636F 6D30 819F 300D 0609 2A86 4886 F70D 0101 0105 0003 818D 0030 8189 0281 8100 C914 9712 017C 1997 E102 40E9 03C9 C55D 1AC0 7019 BDD7 B596 35EB 9C75 3622 9D14 643D 3B96 E711 A80E BC5C 5535 A441 C933 AD6C A4F2 3A78 48E1 AB39 FFE3 3113 6562 28F3 792F C719 68DC 2740 47BA
32A1 A925 D5D6 C0AF AC7A 2371 D6E2 76C0 8986 8A7B 0666 78A6 F5EF 4807 024C 3AA1 2097 771D D5B2 BD29 3DE2 180C 4CFE 9CA3 A394 EC29 0203 0100 01A3 8204 0030 8203 FC30 0B06 0355 1D0F 0404 0302 05A0 301D 0603 551D 2504 1630 1406 082B 0601 0505 0703 0206 082B 0601 0505 0703 0130 1D06 092B 0601 0401 8237 1402 0410 1E0E 004D 0061 0063 0068 0069 006E 0065 301D 0603 551D 0E04 1604 145E A324 516A 4703 3DC9 8BFD 05EC 5B77 221F 3E9E 7630 81E6 0603 551D 2304 81DE 3081 DB80 1416 5D1D F92B F66A 0B48 3516 4E90 C69B 5F39 D46A B9A1 81B0 A481 AD30 81AA 312B 3029 0609 2A86 4886 F70D 0109 0116 1C61 646D 696E 6973 7472 6174 6F72 4061 6476 616E 6365 706B 672E 636F 6D31 0B30 0906 0355 0406 1302 5553 310B 3009 0603 5504 0813 024D 4931 1530 1306 0355 0407 130C 4772 616E 6420 5261 7069 6473 3126 3024 0603 5504 0A13 1D41 6476 616E 6365 2050 6163 6B61 6769 6E67 2043 6F72 706F 7261 7469 6F6E 3122 3020 0603 5504 0313 1941 5043 2043 6572 7469 6669 6361 7465 2041 7574 686F 7269 7479 8210 06C0 2A9B 0FB7 098C 4F60
F00C E04B 024F 3082 0134 0603 551D 1F04 8201 2B30 8201 2730 81D1 A081 CEA0 81CB 8681 C86C 6461 703A 2F2F 2F43 4E3D 4150 4325 3230 4365 7274 6966 6963 6174 6525 3230 4175 7468 6F72 6974 792C 434E 3D67 722D 656D 6169 6C2C 434E 3D43 4450 2C43 4E3D 5075 626C 6963 2532 304B 6579 2532 3053 6572 7669 6365 732C 434E 3D53 6572 7669 6365 732C 434E 3D43 6F6E 6669 6775 7261 7469 6F6E 2C44 433D 6164 7661 6E63 6570 6B67 2C44 433D 636F 6D3F 6365 7274 6966 6963 6174 6552 6576 6F63 6174 696F 6E4C 6973 743F 6261 7365 3F6F 626A 6563 7463 6C61 7373 3D63 524C 4469 7374 7269 6275 7469 6F6E 506F 696E 7430 51A0 4FA0 4D86 4B68 7474 703A 2F2F 6772 2D65 6D61 696C 2E61 6476 616E 6365 706B 672E 636F 6D2F 4365 7274 456E 726F 6C6C 2F41 5043 2532 3043 6572 7469 6669 6361 7465 2532 3041 7574 686F 7269 7479 2E63 726C 3082 0145 0608 2B06 0105 0507 0101 0482 0137 3082 0133 3081 BF06 082B 0601 0505 0730 0286 81B2 6C64 6170 3A2F 2F2F 434E 3D41 5043 2532 3043 6572 7469 6669 6361 7465 2532 3041 7574 686F 7269 7479 2C43
4E3D 4149 412C 434E 3D50 7562 6C69 6325 3230 4B65 7925 3230 5365 7276 6963 6573 2C43 4E3D 5365 7276 6963 6573 2C43 4E3D 436F 6E66 6967 7572 6174 696F 6E2C 4443 3D61 6476 616E 6365 706B 672C 4443 3D63 6F6D 3F63 4143 6572 7469 6669 6361 7465 3F62 6173 653F 6F62 6A65 6374 636C 6173 733D 6365 7274 6966 6963 6174 696F 6E41 7574 686F 7269 7479 306F 0608 2B06 0105 0507 3002 8663 6874 7470 3A2F 2F67 722D 656D 6169 6C2E 6164 7661 6E63 6570 6B67 2E63 6F6D 2F43 6572 7445 6E72 6F6C 6C2F 6772 2D65 6D61 696C 2E61 6476 616E 6365 706B 672E 636F 6D5F 4150 4325 3230 4365 7274 6966 6963 6174 6525 3230 4175 7468 6F72 6974 792E 6372 7430 2606 0355 1D11 041F 301D 821B 6772 2D6C 6170 746F 702D 3233 2E61 6476 616E 6365 706B 672E 636F 6D30 0D06 092A 8648 86F7 0D01 0105 0500 0341 001D 7C6B F6E1 A8E6 71DB 21CF B8EB C9AF 407E 9C9A 3096 40F9 3214 A5FE D482 F05D F9C9 5AD0 97E1 52ED A1BA 91B6 479E 4606 A579 3CB9 32EF 4FC1 45BC 9870 E3F8 DD58 DC
userCertificate: 3082 0611 3082 05BB A003 0201 0202 0A24 8E62 0800 0000 0000 4130 0D06 092A 8648 86F7 0D01 0105 0500 3081 AA31 2B30 2906 092A 8648 86F7 0D01 0901 161C 6164 6D69 6E69 7374 7261 746F 7240 6164 7661 6E63 6570 6B67 2E63 6F6D 310B 3009 0603 5504 0613 0255 5331 0B30 0906 0355 0408 1302 4D49 3115 3013 0603 5504 0713 0C47 7261 6E64 2052 6170 6964 7331 2630 2406 0355 040A 131D 4164 7661 6E63 6520 5061 636B 6167 696E 6720 436F 7270 6F72 6174 696F 6E31 2230 2006 0355 0403 1319 4150 4320 4365 7274 6966 6963 6174 6520 4175 7468 6F72 6974 7930 1E17 0D30 3431 3132 3332 3133 3630 345A 170D 3035 3131 3233 3231 3336 3034 5A30 2631 2430 2206 0355 0403 131B 6772 2D6C 6170 746F 702D 3233 2E61 6476 616E 6365 706B 672E 636F 6D30 819F 300D 0609 2A86 4886 F70D 0101 0105 0003 818D 0030 8189 0281 8100 C765 6FF5 070F B01C 1877 55EF 5498 1624 42A7 227A 3178 96E1 D507 BFA3 0EE3 560E A0DB 5F28 B8C2 1480 D2B2 E397 5421 3130 2A33 B151 3F0C 516D 3B75 2C5E CE97 946D 480F 1700 0624 5D96 6082 3373
CA11 67F0 6627 98F5 E685 2B1F 3618 6A1D E8DF 8DB4 5120 4C21 E9C5 2858 25C5 E316 E0AE 2C62 A87D 0D8E 5920 957C BE74 A584 3D2A C7A9 0203 0100 01A3 8204 0030 8203 FC30 0B06 0355 1D0F 0404 0302 05A0 301D 0603 551D 2504 1630 1406 082B 0601 0505 0703 0206 082B 0601 0505 0703 0130 1D06 092B 0601 0401 8237 1402 0410 1E0E 004D 0061 0063 0068 0069 006E 0065 301D 0603 551D 0E04 1604 147B B0E8 49BA FDB8 23E9 7924 4F39 20FE A732 C055 D630 81E6 0603 551D 2304 81DE 3081 DB80 1416 5D1D F92B F66A 0B48 3516 4E90 C69B 5F39 D46A B9A1 81B0 A481 AD30 81AA 312B 3029 0609 2A86 4886 F70D 0109 0116 1C61 646D 696E 6973 7472 6174 6F72 4061 6476 616E 6365 706B 672E 636F 6D31 0B30 0906 0355 0406 1302 5553 310B 3009 0603 5504 0813 024D 4931 1530 1306 0355 0407 130C 4772 616E 6420 5261 7069 6473 3126 3024 0603 5504 0A13 1D41 6476 616E 6365 2050 6163 6B61 6769 6E67 2043 6F72 706F 7261 7469 6F6E 3122 3020 0603 5504 0313 1941 5043 2043 6572 7469 6669 6361 7465 2041 7574 686F 7269 7479 8210 06C0 2A9B 0FB7 098C 4F60
F00C E04B 024F 3082 0134 0603 551D 1F04 8201 2B30 8201 2730 81D1 A081 CEA0 81CB 8681 C86C 6461 703A 2F2F 2F43 4E3D 4150 4325 3230 4365 7274 6966 6963 6174 6525 3230 4175 7468 6F72 6974 792C 434E 3D67 722D 656D 6169 6C2C 434E 3D43 4450 2C43 4E3D 5075 626C 6963 2532 304B 6579 2532 3053 6572 7669 6365 732C 434E 3D53 6572 7669 6365 732C 434E 3D43 6F6E 6669 6775 7261 7469 6F6E 2C44 433D 6164 7661 6E63 6570 6B67 2C44 433D 636F 6D3F 6365 7274 6966 6963 6174 6552 6576 6F63 6174 696F 6E4C 6973 743F 6261 7365 3F6F 626A 6563 7463 6C61 7373 3D63 524C 4469 7374 7269 6275 7469 6F6E 506F 696E 7430 51A0 4FA0 4D86 4B68 7474 703A 2F2F 6772 2D65 6D61 696C 2E61 6476 616E 6365 706B 672E 636F 6D2F 4365 7274 456E 726F 6C6C 2F41 5043 2532 3043 6572 7469 6669 6361 7465 2532 3041 7574 686F 7269 7479 2E63 726C 3082 0145 0608 2B06 0105 0507 0101 0482 0137 3082 0133 3081 BF06 082B 0601 0505 0730 0286 81B2 6C64 6170 3A2F 2F2F 434E 3D41 5043 2532 3043 6572 7469 6669 6361 7465 2532 3041 7574 686F 7269 7479 2C43
4E3D 4149 412C 434E 3D50 7562 6C69 6325 3230 4B65 7925 3230 5365 7276 6963 6573 2C43 4E3D 5365 7276 6963 6573 2C43 4E3D 436F 6E66 6967 7572 6174 696F 6E2C 4443 3D61 6476 616E 6365 706B 672C 4443 3D63 6F6D 3F63 4143 6572 7469 6669 6361 7465 3F62 6173 653F 6F62 6A65 6374 636C 6173 733D 6365 7274 6966 6963 6174 696F 6E41 7574 686F 7269 7479 306F 0608 2B06 0105 0507 3002 8663 6874 7470 3A2F 2F67 722D 656D 6169 6C2E 6164 7661 6E63 6570 6B67 2E63 6F6D 2F43 6572 7445 6E72 6F6C 6C2F 6772 2D65 6D61 696C 2E61 6476 616E 6365 706B 672E 636F 6D5F 4150 4325 3230 4365 7274 6966 6963 6174 6525 3230 4175 7468 6F72 6974 792E 6372 7430 2606 0355 1D11 041F 301D 821B 6772 2D6C 6170 746F 702D 3233 2E61 6476 616E 6365 706B 672E 636F 6D30 0D06 092A 8648 86F7 0D01 0105 0500 0341 0054 0174 9E40 3762 CB5A 9E2D 4251 DCEC F324 D2AA B687 86CB 8F61 69EC 85DD BE84 F065 FA3A 84EC A53E CDD0 2977 FEAC EE6F 5B96 F033 7492 3199 E274 F798 53C4 067D 78


Here is the results of the certdump::
X509 Certificate:
Version: 3
Serial Number: 75e10504000000000050
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00 ..
Issuer:
CN=GR Certificate Authority
O=GR
L=Grand Rapids
S=MI
C=US
E=***@domain.com

NotBefore: 1/27/2005 11:27 AM
NotAfter: 1/27/2006 11:27 AM

Subject:
CN=gr-laptop-23.domain.com

Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00 ..
Public Key: UnusedBits = 0
0000 30 81 89 02 81 81 00 c9 14 97 12 01 7c 19 97 e1 0...........|...
0010 02 40 e9 03 c9 c5 5d 1a c0 70 19 bd d7 b5 96 35 ***@....]..p.....5
0020 eb 9c 75 36 22 9d 14 64 3d 3b 96 e7 11 a8 0e bc ..u6"..d=;......
0030 5c 55 35 a4 41 c9 33 ad 6c a4 f2 3a 78 48 e1 ab \U5.A.3.l..:xH..
0040 39 ff e3 31 13 65 62 28 f3 79 2f c7 19 68 dc 27 9..1.eb(.y/..h.'
0050 40 47 ba 32 a1 a9 25 d5 d6 c0 af ac 7a 23 71 d6 @G.2..%.....z#q.
0060 e2 76 c0 89 86 8a 7b 06 66 78 a6 f5 ef 48 07 02 .v....{.fx...H..
0070 4c 3a a1 20 97 77 1d d5 b2 bd 29 3d e2 18 0c 4c L:. .w....)=...L
0080 fe 9c a3 a3 94 ec 29 02 03 01 00 01 ......).....
Certificate Extensions: 8
2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Key Encipherment(a0)

2.5.29.37: Flags = 0, Length = 16
Enhanced Key Usage
Client Authentication(1.3.6.1.5.5.7.3.2)
Server Authentication(1.3.6.1.5.5.7.3.1)

1.3.6.1.4.1.311.20.2: Flags = 0, Length = 10
Certificate Template
Machine

2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
5e a3 24 51 6a 47 03 3d c9 8b fd 05 ec 5b 77 22 1f 3e 9e 76

2.5.29.35: Flags = 0, Length = de
Authority Key Identifier
KeyID=16 5d 1d f9 2b f6 6a 0b 48 35 16 4e 90 c6 9b 5f 39 d4 6a b9
Certificate Issuer:
Directory Address:
CN=GR Certificate Authority
O=GR
L=Grand Rapids
S=MI
C=US
E=***@domain.com
Certificate SerialNumber=06 c0 2a 9b 0f b7 09 8c 4f 60 f0 0c e0 4b
02 4f

2.5.29.31: Flags = 0, Length = 12b
CRL Distribution Points
[1]CRL Distribution Point
Distribution Point Name:
Full Name:

URL=ldap:///CN=GR%20Certificate%20Authority,CN=gr-email,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint
[2]CRL Distribution Point
Distribution Point Name:
Full Name:

URL=http://gr-email.domain.com/CertEnroll/GR%20Certificate%20Authority.crl

1.3.6.1.5.5.7.1.1: Flags = 0, Length = 137
Authority Information Access
[1]Authority Info Access
Access Method=Certification Authority Issuer(1.3.6.1.5.5.7.48.2)
Alternative Name:

URL=ldap:///CN=GR%20Certificate%20Authority,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com?cACertificate?base?objectclass=certificationAuthority
[2]Authority Info Access
Access Method=Certification Authority Issuer(1.3.6.1.5.5.7.48.2)
Alternative Name:

URL=http://gr-email.domain.com/CertEnroll/gr-email.domain.com_GR%20Certificate%20Authority.crt

2.5.29.17: Flags = 0, Length = 1f
Subject Alternative Name
DNS Name=gr-laptop-23.domain.com

Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00 ..
Signature: UnusedBits=0
0000 dc 58 dd f8 e3 70 98 bc 45 c1 4f ef 32 b9 3c 79 .X...p..E.O.2.<y
0010 a5 06 46 9e 47 b6 91 ba a1 ed 52 e1 97 d0 5a c9 ..F.G.....R...Z.
0020 f9 5d f0 82 d4 fe a5 14 32 f9 40 96 30 9a 9c 7e .]***@.0..~
0030 40 af c9 eb b8 cf 21 db 71 e6 a8 e1 f6 6b 7c 1d @.....!.q....k|.
Non-root Certificate
Cert Hash(md5): 5a a0 5c 0d 0f d0 25 11 a0 56 c3 33 f0 1c bd 66
Cert Hash(sha1): b4 86 22 0a 7a d7 a8 55 cc 8c 77 7b 62 4a 20 ae c8 27 a2 21
First, do yourself (and me) a favor and go to www.joeware.net and pick up a
copy of Joe's free adfind command. It is a much more useful way to view
adfind -default -f samaccountname=gr-laptop-23$
Will dump all the attributes on the object in one command in a very
readable format.
Second, we need to see what is actually in the certificate you're trying to
use. If you open the certificate in the MMC, click on the Details tab and
then select Copy to file... button, you can export the cert to a disk file,
certutil -dump whateveryoucalledit.cer
Post the results of the adfind and certutil commands and we may be able to
see what has gone wrong.
Wayne
Post by Phil
Wayne,
Thanks for all the help on this problem. I am just not seeing what I
am getting wrong.
Here is the info I can get for you on this machine.
Domain.com/GR/Computers/Managed-Laptop
Usind the LDP.exe tool I get this information on that laptop object
CN=GR-LAPTOP-23,OU=Managed-Laptop,OU=Computers,OU=GR,DC=domain,DC=com
CN=GR-LAPTOP-23,OU=Managed-Laptop,OU=Computers,OU=GR,DC=domain,DC=com;
5> objectClass: top; person; organizationalPerson; user;
computer; 1> name: GR-LAPTOP-23;
run dsstore -macobj domain\gr-laptop-23$
Attribute : dNSHostName
gr-laptop-23.domain.com
Attribute : objectCategory
CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=com
Attribute : sAMAccountName
GR-LAPTOP-23$
Attribute : servicePrincipalName
HOST/GR-LAPTOP-23
HOST/gr-laptop-23.domain.com
Attribute : userAccountControl
4096
WirelessAccess
Domain Computers
Wayne Tilton
2005-02-03 00:06:10 UTC
Permalink
"=?Utf-8?B?UGhpbA==?=" <***@discussions.microsoft.com> wrote in news:03645F7D-7DD4-4486-A804-***@microsoft.com:

All that appears to be correct. The computer object has the proper
dnsHostName attribute, which matches the subject alternatative name, and
the servicePrincipalName is what I would expect for a normal domain member.

It looks like you have issued two certificates to the machine. If they are
still in the local machine store I would recommend removing the one you
didn't dump if it is still there.

Did you authorize the IAS server in AD? It needs to be able to read
properties of the objects and needs to be in the "RAS and IAS Servers"
group to do that. If you haven't done that, you can add the server to the
group manually or using the IAS MMC to do it. You need to reboot to have
it pick up the new group membership.

If that isn't the problem, you're going to need to enable RAS tracing:

netsh ras set tracing * en

That will generate logs in the %SystemRoot%\Tracing directory. The IASSAM
and RASTLS logs may hold the clue.

Wayne
Phil
2005-02-03 13:31:04 UTC
Permalink
There are two certificates on the client machine. One is a computer
certificate distributed via GPO in the domain. The other that I did not dump
is the user certificate. The problem I am having is that the machine is
unable to bring up a wireless connection with its authentication but once a
user has logged in it uses the user certificate to create a wireless
connection. The problem is that this is too late in the game and the logon
scripts will not run at this point.

The server being used as the certificate server was not part of the RAS and
IAS servers group and has since been added. I am unsure how the user portion
works and the machine portion does not if it is a mater of the certificate
server needing to be part of that group. I will have to wait to reboot the
server as it is performing other duties also and cannot go down during
production.

Once again Wayne thanks for all the info and help. You have helped me get a
deeper knowledge about what I am doing.
Post by Wayne Tilton
All that appears to be correct. The computer object has the proper
dnsHostName attribute, which matches the subject alternatative name, and
the servicePrincipalName is what I would expect for a normal domain member.
It looks like you have issued two certificates to the machine. If they are
still in the local machine store I would recommend removing the one you
didn't dump if it is still there.
Did you authorize the IAS server in AD? It needs to be able to read
properties of the objects and needs to be in the "RAS and IAS Servers"
group to do that. If you haven't done that, you can add the server to the
group manually or using the IAS MMC to do it. You need to reboot to have
it pick up the new group membership.
netsh ras set tracing * en
That will generate logs in the %SystemRoot%\Tracing directory. The IASSAM
and RASTLS logs may hold the clue.
Wayne
Phil
2005-02-11 16:49:02 UTC
Permalink
This is what I get now after adding the certificate server to the RAS and IAS
Servers group. On the client it acts as if it is going to connect and in the
log it appears it is going to connect with 10 connections in 30 seconds.

Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 2/10/2005
Time: 5:11:10 PM
User: N/A
Computer: GR-DATA
Description:
User host/gr-laptop-23.advancepkg.com was granted access.
Fully-Qualified-User-Name = DOMAIN\GR-LAPTOP-23$
NAS-IP-Address = 192.168.3.52
NAS-Identifier = GR-ISAP-01
Client-Friendly-Name = gr-isap
Client-IP-Address = 192.168.3.52
NAS-Port-Type = 19
NAS-Port = 265
Policy-Name = Wireless Access Policy
Authentication-Type = EAP
EAP-Type = Smart Card or other Certificate

Then I get 5 errors in the next 30 seconds and the client is disconnected
and sits idle

Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 3
Date: 2/10/2005
Time: 5:11:24 PM
User: N/A
Computer: GR-DATA
Description:
Access request for user host/gr-laptop-23.domain.com was discarded.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 192.168.3.52
NAS-Identifier = GR-ISAP-01
Called-Station-Identifier = 0040.96a0.eb2d
Calling-Station-Identifier = 0090.4bb2.a8b6
Client-Friendly-Name = gr-isap
Client-IP-Address = 192.168.3.52
NAS-Port-Type = 19
NAS-Port = 267
Reason-Code = 3
Reason = The request was malformed.
Post by Phil
There are two certificates on the client machine. One is a computer
certificate distributed via GPO in the domain. The other that I did not dump
is the user certificate. The problem I am having is that the machine is
unable to bring up a wireless connection with its authentication but once a
user has logged in it uses the user certificate to create a wireless
connection. The problem is that this is too late in the game and the logon
scripts will not run at this point.
The server being used as the certificate server was not part of the RAS and
IAS servers group and has since been added. I am unsure how the user portion
works and the machine portion does not if it is a mater of the certificate
server needing to be part of that group. I will have to wait to reboot the
server as it is performing other duties also and cannot go down during
production.
Once again Wayne thanks for all the info and help. You have helped me get a
deeper knowledge about what I am doing.
Post by Wayne Tilton
All that appears to be correct. The computer object has the proper
dnsHostName attribute, which matches the subject alternatative name, and
the servicePrincipalName is what I would expect for a normal domain member.
It looks like you have issued two certificates to the machine. If they are
still in the local machine store I would recommend removing the one you
didn't dump if it is still there.
Did you authorize the IAS server in AD? It needs to be able to read
properties of the objects and needs to be in the "RAS and IAS Servers"
group to do that. If you haven't done that, you can add the server to the
group manually or using the IAS MMC to do it. You need to reboot to have
it pick up the new group membership.
netsh ras set tracing * en
That will generate logs in the %SystemRoot%\Tracing directory. The IASSAM
and RASTLS logs may hold the clue.
Wayne
Tmccabe
2005-01-31 13:51:04 UTC
Permalink
How do you get the machine names in the group without having to do one at a
time. I have a couple hundred laptops
Post by Phil
I have all Windows 2000 server and Windows 2000 clients running sp4 with
Cisco 1100 access points. I have an internal certificate server and pushing
out machine certs via GPO and user certs manually imported from the web page.
Using IAS RADIUS server for authentication.
On the client I have Network Authentication set to WPA and Data Encryption
set to AUTO. On the Authentication Tab the EAP Method is TLS and the
validate server certificate enabled. The Wireless Configuration service is
set to AUTOMATIC but status is blank, not started. Once service is manually
started the Authentication Tab in the network connection is set to Smart Card
or other Certificate and the Authenticate as computer when computer
information is available is check marked.
For the IAS policy I have a wireless policy that contains a WirelessAccess
group that contains both users and computer accounts from AD.
Before logon there is no network connection but after the user logs on the
connection is authenticated and brought up. In the RADIUS logs I am getting
the message of DOMAIN\comptuer.domain.com NO SUCH USER for the computer
authentication.
What am I doing wrong and how do I get the machine to connect to the
network, pull an IP address before the user logs on?
Phil
2005-01-31 14:57:03 UTC
Permalink
In AD open your specified wireless group.
Go to the Members Tab.
Click ADD.
For the Look in make sure it is your domain.
Select all the machines you want to be in this group and when finished
picking the machines click the add button.
Post by Tmccabe
How do you get the machine names in the group without having to do one at a
time. I have a couple hundred laptops
Post by Phil
I have all Windows 2000 server and Windows 2000 clients running sp4 with
Cisco 1100 access points. I have an internal certificate server and pushing
out machine certs via GPO and user certs manually imported from the web page.
Using IAS RADIUS server for authentication.
On the client I have Network Authentication set to WPA and Data Encryption
set to AUTO. On the Authentication Tab the EAP Method is TLS and the
validate server certificate enabled. The Wireless Configuration service is
set to AUTOMATIC but status is blank, not started. Once service is manually
started the Authentication Tab in the network connection is set to Smart Card
or other Certificate and the Authenticate as computer when computer
information is available is check marked.
For the IAS policy I have a wireless policy that contains a WirelessAccess
group that contains both users and computer accounts from AD.
Before logon there is no network connection but after the user logs on the
connection is authenticated and brought up. In the RADIUS logs I am getting
the message of DOMAIN\comptuer.domain.com NO SUCH USER for the computer
authentication.
What am I doing wrong and how do I get the machine to connect to the
network, pull an IP address before the user logs on?
Tmccabe
2005-01-31 15:03:02 UTC
Permalink
yea-I was looking for a fast way to add 200 laptops-I found a way-thanks for
your help
Post by Phil
In AD open your specified wireless group.
Go to the Members Tab.
Click ADD.
For the Look in make sure it is your domain.
Select all the machines you want to be in this group and when finished
picking the machines click the add button.
Post by Tmccabe
How do you get the machine names in the group without having to do one at a
time. I have a couple hundred laptops
Post by Phil
I have all Windows 2000 server and Windows 2000 clients running sp4 with
Cisco 1100 access points. I have an internal certificate server and pushing
out machine certs via GPO and user certs manually imported from the web page.
Using IAS RADIUS server for authentication.
On the client I have Network Authentication set to WPA and Data Encryption
set to AUTO. On the Authentication Tab the EAP Method is TLS and the
validate server certificate enabled. The Wireless Configuration service is
set to AUTOMATIC but status is blank, not started. Once service is manually
started the Authentication Tab in the network connection is set to Smart Card
or other Certificate and the Authenticate as computer when computer
information is available is check marked.
For the IAS policy I have a wireless policy that contains a WirelessAccess
group that contains both users and computer accounts from AD.
Before logon there is no network connection but after the user logs on the
connection is authenticated and brought up. In the RADIUS logs I am getting
the message of DOMAIN\comptuer.domain.com NO SUCH USER for the computer
authentication.
What am I doing wrong and how do I get the machine to connect to the
network, pull an IP address before the user logs on?
Loading...