The Novell Client 4.91 SP5 for Windows XP/2003 includes an Extensible Authentication Protocol (EAP) plug-in to the Microsoft Windows XP supplicant, which lets users authenticate through RADIUS to wireless access points and wired switches for added network security. Using FreeRADIUS as the RADIUS server, users can authenticate to their local machines, to eDirectory, and to 802.1X with the same set of credentials for a single sign-on experience.
When 802.1X authentication is enabled, the username and password entered in the Novell Login dialog box are first passed to the EAP plug-in module. An exchange of messages (PEAP/MSCHAPv2) between the Windows supplicant, the wireless access point/wired switch, and the RADIUS server allows network access if the correct credentials were entered. After the 802.1X authentication has succeeded, both the eDirectory and local logins take place just as they have in previous versions of the Novell Clients. If the 802.1X authentication fails, no access to the network is given, and the user will not be able to access the network.
The 802.1x authentication feature supports both wired and wireless connections. Only password-based authentication is supported (the Novell Client 4.91 SP5 for Windows XP/2003 supports only PEAP with MSCHAPv2). Biometrics (non-password-based) authentication types are not supported with this release. If you want certificate support, the Microsoft EAP plug-ins are sufficient and no Novell-specific EAP support is required.
The ability to browse for trees and servers in the Novell Login dialog box is not supported because the 802.1X port blocks all network access.
HINT:We recommend testing this functionality with user accounts that don't expire. There is a possibility that grace login messages won't display to users, which means that users might unknowingly exhaust their grace logins.
This configuration is intended for use only with the native 802.1x supplicant provided with Windows. We recommend that you install only the driver for your wireless adapter (that is, that you do not install other supplicants or utilities that come with wireless adapters). This is because such utilities often disable the wireless service in Windows. You should also make sure that thesetting is always enabled (to do this, right-click the wireless connection).
Install a clean version of Windows XP Service Pack 2 (SP2).
Install the Windows WPA2 wireless patch, available from Update for Windows XP (KB893357).
This update to Windows XP provides support for Wi-Fi Protected Access 2 (WPA2), which is the latest standards-based wireless security solution derived from the IEEE 802.11i standard.
Install the wlan api patch, available from Wireless LAN API (KB918997).
Installing this set of application programming interfaces (APIs) lets you create applications that can manage wireless LAN profiles and connectivity on Microsoft Windows XP SP2 using the native wireless functionality in Windows, called Wireless Zero Configuration (WZC) service.
Make sure theoption on the tab of your Local Area Connection Properties dialog box is selected.
Right-click the Red N in the system tray, then click.
In the Novell Client Configuration dialog box, click thetab.
Selectin the box, then click .
Selectin the drop-down list, then click .
Click thetab, then select .
You can also select any of the following options:
802.1X Authenticate on subsequent logins: Causes 802.1X authentication to take place when a user logs in from the Red N, even if he or she is already logged in to the Windows workstation. If the user is not logged in, 802.1X authentication takes place even if this option is not selected.
Append Domain name to User name: Prepends the user’s domain to the username when the username is submitted to 802.1X. The format is DomainName/username. Use this option if the RADIUS server expects the domain name to precede the username. This options is normally used when IAS/AD is the RADIUS backend.
NOTE:Contextless login runs after you click.
Reboot the workstation for the changes to take effect.
After it is enabled, a 802.1X tab appears in the Novell Login dialog box when you click the Step 6) to control 802.1X authentication at login time.tab. Use the options on the tab (see
IMPORTANT:For 802.1X to work correctly during the initial login, make sure that theoption is selected on the tab of your Local Area Connection Properties dialog box.
If 802.1X authentication succeeds after the desktop is up and you are log in from the Red N but fails on the initial boot login, check to see if thecheck box on the tab of your Local Area Connection Properties dialog box is selected. This option must be selected for the initial login to succeed.
If the authentication times out, check to see if the radius server is getting queried for the authentication. Also check to make sure thecheck box on the tab on the Local Area Connection Properties dialog box is not selected.
If you think debug or trace logs will help, start Regedit and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing and enable tracing for Noveap. This causes Windows to create a Noveap.log file in the windows\tracing directory.
Utilities installed with many NIC cards can cause odd behavior. Make sure the user has only installed the drivers for the NIC card and none of the other utilities.
If you still cannot get 802.1X to work, remove the Novell Client and try to get the Microsoft authentication working first. Pre-desktop authentication will not likely work in this case, but after the desktop is up, Microsoft uses the Windows username and password for 802.1X authentication.
For this to work, the username and password for Windows must match the username and password in eDirectory. There are many resources on the Web that can help you troubleshoot wireless access on Widows XP, including the following:
After you have wireless authentication working without the Novell Client, install the Client and enable the Client’s 802.1X authentication.
For more information on 802.1X, see the following: