LSU has implemented a Protected Extensible Authentication Protocol (PEAP) authentication scheme for its wireless network. Utilizing PEAP provides increased security by allowing password-based authentication to the LSU wireless network over an encrypted channel. LSU’s PEAP solution provides two methods of authentication: single sign on (SSO) and PAWS authentication. This document details the requirements for utilizing the SSO method and describes the options for users that chose not to utilize it.
Single sign on to the wireless network requires that computers be members of LSU’s Active Directory (the forest named lsu.edu). This technical requirement exists because the Windows EAP supplicant authenticates to the network with the computer’s account. For the computer to have an account for this pass through authentication, it must be joined to the lsu.edu forest. Computers that are not members of this forest, either because they are standalone, or joined to other forests, will not be able to utilize the SSO functionality. While other potential technical options exist, such as Active Directory trusts and RADIUS proxies, they increase the management costs of the network and expose it to greater security risks.
For organizations that chose not to participate in LSU’s Active Directory, wireless access is still provided, but the authentication process is different. Rather than the authentication occurring without user interaction (as it does in the SSO method), users who are not part of LSU’s Active Directory will need to manually authenticate to the network with their PAWS account. When using this method, Windows will prompt a wireless user for their PAWS credentials when they initially join the network. Windows will then store these credentials until the user changes their PAWS password, at which point they will be prompted to again enter their credentials (and Windows will again store them). After the credentials have been entered and cached, the authentication process occurs automatically without further user intervention.
Users whose computers are joined to Active Directory forests other than lsu.edu will authenticate using the PAWS method. Because Windows caches their Active Directory credentials, they will be able to log on to their notebooks using these credentials even if they have not yet authenticated to the wireless network. After logging in, they will be prompted to authenticate to the wireless network, at which point the process described in the previous paragraph begins. It should be noted that users must authenticate to their organization’s Active Directory over a wired connection at least once before their credentials will be cached by Windows. Subsequently, these cached credentials can be used regardless of network connectivity state.
Any questions about the SSO options for LSU’s wireless network should be directed to the IT Security & Policy office.