3Com 6.0.4.6 Authentication, Authenticate as computer when computer information is available

Points to Note When Using the WXR100, WX1200, WX4400, or WX2200

Feature	Scenario Requiring Computer Authentication

Active Directory computer	Computer–based Group Policy is applied during
Group Policy	computer start up and at timed intervals—even
	when no on is logged in to windows.

Network logon scripts	Network logon scripts are run during initial user
	login.

Systems management	Systems management application agents such as
agents	those that come with Microsoft Systems Manage-
	ment Server (SMS) frequently need network
	access without user intervention.

Remote Desktop Connec-	Computers are accessible from Windows Remote
tion	Desktop Connection when no one is logged in to
	windows.

Shared folders	Files and folders shared from a computer are still
	available, even when no user is logged in.

Configuring computer authentication on the client is simple, though it requires the use of the Microsoft 802.1X client built-in to Windows XP and Windows 2000. Keep the following information in mind when configuring computer authentication on Microsoft clients:

■To enable computer authentication, go to the Authentication tab where you normally select your 802.1X authentication method and enable the checkbox labeled Authenticate as computer when computer information is available.

■The authentication protocol that is configured for your user accounts will also be used for the com- puter account.

■If the EAP protocol you are using requires client certificates, you must use the Microsoft Enterprise Certificate Authority built-in to Windows 2000 Server and Windows Server 2003 to generate Computer certificates for PCs on your active direc-

tory domain. Microsoft Knowledgebase Article KB313407 explains how to enable the automatic distribution of computer certificates through Active Directory.

■If the user and machine accounts use different VLANs, you must install hotfixes on the client PCs to enable them to DHCP for a new IP address when the user authentications. Windows XP requires either the WPA Rollup Hotfix (KB826942) or Hotfix KB822596. Windows 2000 requires hotfix KB822596.

■Using PEAP-MS-CHAP-V2 with computer authenti- cation will allow users who have never logged on to a PC authenticate wirelessly without having to login to the PC over a wired connection the first time. EAP-TLS still requires the user to connect to the network over a wired connection to generate a profile on the PC and a user certificate.

Enabling computer authentication also requires minor reconfiguration of Active Directory and IAS. Please note the following when configuring computer authentication on an active directory domain:

■You must grant dial-in access for the computer accounts in Active Directory that you wish to enable computer authentication on. If the tab to configure dial-in access does not appear, follow the directions in Microsoft Knowledgebase article KB306260.

■Review your remote access policies in IAS to insure that the computer accounts have appropriate group membership to allow them to match the proper policy.