2 Networks, 1 Cable Modem? Domain Login + Wireless. Please help! 1

[intekra]

Ok, first off, I'm working in a 2 story building.

Offices on 1st and 2nd Floor want to share the internet connection coming in on the 2nd floor. Without spending $1000's, how can I get the two seperate networks to share the one connection? Here is a diagram that shows what I believe _should_ work:

            WWW
             |   
             |   
        Wired Router*
      |              |
      |              |
 Wireless AP1**  Wireless AP2***
      /               \
      \               /
    --+--           --+--
    LAN1             LAN2
   domain          workgroup

* Linksys 4 Port Wired Router - Port Diagram:
    • WAN: [URL unfurl="true"]WWW connected[/URL] to WAN
    • P1: Wireless AP1 Connected to Lan Port 1
    • P2: Wireless AP1 Connected to Lan Port 2
    • P3: Not connected
    • P4: Not Connected
(Gets IP from ISP)

** Linksys Wireless G Access Point 1 
    • Wired Router Plugged into LAN port?
    • LAN1 Wirelessly connected

*** Linksys Wireless G Access Point 2 
    • Wired Router Plugged into LAN port?
    • LAN2 Wirelessly connected

On the first floor, there is a Server (Domain Controller) and 5 Client PCs. I'm planning on making these all wireless. The second floor has a simple windows workgroup with file/print sharing between 10 PCs.

What hardware do I need to make this work?

Next Problem:
Now I'm thinking about it and wondering, how are the 1st floor clients going to logon to the domain if they won't get a wireless connection until after windows boots?(or will they?) They will be using HP Wireless G Cards and the Linksys APs from the above diagram. How will this work? This whole project will fail if I can't do it wirelessly.

Thanks so much, any help is greatly appreciated.

 

[bcastner]

First, use the Linksys WRT54G or GS router and not the access points. They are less expensive and more capable.

Second, you give each of the WRT54G routers a static IP in the subnet of the wired router:

Wired router: 192.168.1.1
Internet address: Type Static IP
WRT54G #1 : 192.168.1.2
WRT54G #2 : 192.168.1.3

Third, set each of the wireless routers to a different LAN subnet.

WRT54G #1 : 192.168.2.1 Mask 255.255.255.0 Gateway 0.0.0.0
WRT54G #2 : 192.168.3.1 Mask 255.255.255.0 Gateway 0.0.0.0

And make sure that DHCP is enabled.

Your last concern puzzles me. Wired connections in a Domain are not active until Windows boots. I would be certain if using XP clients that you disable through Group Policy the asynchronous processing of the logon.

 

[intekra]

Thanks for the reply. Will the access points still work or is it too late? I understand the routers are cheaper but my client already ordered everything and as long as they will still perform equally, that's fine.

Thanks for the config tips.

As far as my second concern, in wired situations, when you enter your login and password, its already connected to the network so you just type in your credentials and it authorizes. With wireless, you have WEP to configure, as well as which network you want to connect to. I'm afraid it won't allow me to logon to the domain over wireless.

Now, one more thing.

LAN1 has the domain structure with server and client pcs. I've configured Active Directory before, but I'm still a bit rusty as it's been over a year. Are there any networking steps I'm not thinking of to have internet access as well as network access over a domain? If you're not sure that's fine, I've got MCSE books all over but little time to read and I want to be somewhat prepared so I can get in and get out of this project.

Thanks again!

 

[bcastner]

1. The WAP54G will work fine. I should note that for both a router or access point with built-in DHCP server, you likely want to disable this in a Domain setting and allow the Domain DHCP server to provide IP addresses.

2. For Windows XP clients the asyncronous loading of networking during the boot up process can pose an issue. This speeds up the login process in a stand-alone workstation by allowing the user to log in with cached logon credentials before the network is fully ready.

To disable this "feature" and restore normal domain logons, open the MMC and add the group policy snap-in. Under Computer Configuration-->Administrative Templates-->System-->Logon, change "Always wait for the network at computer startup and logon" to ENABLED.

This can be fed to clients via a group policy from a Windows 2000 server by upgrading the standard policy template with the XP policy template. Since this is an XP only command, non-XP systems will ignore it in a domain distributed group policy.

3. There are no special Group Policy needs posed by wireless networking.

4. The only thing to be extra careful about is that any WINS database and the DNS server for the Domain need to be reconciled for any changes you make. If you continue to use your Domain DHCP server, and you should, there should not be a problem. If this is the first time you are introducing internet access to the Domain, be sure to make the DNS server entries for forwarders to either the DNS proxy in the wired router (192.168.1.1 in the example above) or to your ISPs DNS servers.

 

[TonelocMT]

I followed the instructions at the following link with two small changes, and I am now able to have my laptops connected to the WLAN even when no one is logged on to them.

http://www.pctechnicians.ca/help/8021x.html

One part I did not do was the unchecking of the box mentioned in this section of the wireless client Authentication tab, EAP MSCHAPv2 properties.

"Click the properties button
Authentication Method: Secured password (EAP-MSCHAPv2)
Click the configure button
Uncheck the windows logon name and password box"

I also unchecked the "Authenticate as guest when user or computer information is not available" on the wireless client Authentication tab.

As described in the instructions, I created a Security group in Active Directory and added all of the users I wished to give access to the WLAN. But I also added all of the laptop's computernames as well. This allowed the laptop itself to authenticate to the RADIUS server and the WAP via group membership.

We are using Gateway 7001 access points, but the instruction in the link describe the scenario with Linksys and Dlink as well. The procedure should work with any WAP that can use WPA with an external RADIUS server, as long as that RADIUS server integrates with Active Directory.

The laptops are Gateway's and HP's running XP Pro, and they all have integrated Broadcom wireless NIC's. I believe that everything should work the same for Windows 2000 Pro as well.

All of my Group Policy's and logon scripts, such as my Software Update Server settings and the drive mappings, are working properly this way as well.

Although, in case you run into some of your policy's not being applied during startup, here is an excerpt from a post in another forum discussing a similar issue.
------------
"1. The WAP54G will work fine. I should note that for both a router or access point with built-in DHCP server, you likely want to disable this in a Domain setting and allow the Domain DHCP server to provide IP addresses.

2. For Windows XP clients the asyncronous loading of networking during the boot up process can pose an issue. This speeds up the login process in a stand-alone workstation by allowing the user to log in with cached logon credentials before the network is fully ready.

To disable this "feature" and restore normal domain logons, open the MMC and add the group policy snap-in. Under Computer Configuration-->Administrative Templates-->System-->Logon, change "Always wait for the network at computer startup and logon" to ENABLED.

This can be fed to clients via a group policy from a Windows 2000 server by upgrading the standard policy template with the XP policy template. Since this is an XP only command, non-XP systems will ignore it in a domain distributed group policy.

3. There are no special Group Policy needs posed by wireless networking.

4. The only thing to be extra careful about is that any WINS database and the DNS server for the Domain need to be reconciled for any changes you make. If you continue to use your Domain DHCP server, and you should, there should not be a problem. If this is the first time you are introducing internet access to the Domain, be sure to make the DNS server entries for forwarders to either the DNS proxy in the wired router (192.168.1.1 in the example above) or to your ISPs DNS servers."
-------------

I have VNC installed on all of the laptop's and I am now able to connect to them whether they are in a logged on or off state.

Hope this helps!

 

[brownsville]

Hello, I have a similar situation. I have a network with a domain controller and want to give network access to 2 pc's where wiring isn't feasible. One PC is Win98, the other is Win2000. Because the WEP encryption software doesn't run until after Windows completely loads, the clients have to log on to the local machine, which runs the WEP software, then log off and log onto the network. If they try to logon to the network directly, it fails because they can't even see the network yet, let alone authenticate. Is there a way around this? Or do I need to upgrade the clients to WinXP for this to work?

 

[TonelocMT]

I would recommend upgrading to XP Pro, and SP2, the wireless at the site where this is implemented has been flawless with XP SP2. I am not entirely sure that Win98 supports WPA and 802.1x RADIUS with PEAP. Win2000 very well may, but if it were possible for you to upgrade I would take them all to XP SP2, it just handles wireless connections better. Then just set up the other items in my post and you should be fine.

 

[bj2tall]

Hi, I'm having a similar problem as well. I have windows 2000 server setup with IAS with RADIUS just like it said in the pctechnicians website. But I can not get the option to set the dail-in remote access permission (Dial-in or VPN) permission to bet set to control access through remote access policy. Its a new install of 2000 server with all the updates and the steps shown on the pctechnicians site.

 

[TonelocMT]

Did you make sure you followed this specific instruction at the pctechnicians web page "Change domain mode to native to enable the Remote Access Policy option ". If you do not do that, that option is grayed out.

Here is how to switch to native mode just in case.

Changing Domain Mode
To switch the domain mode, perform the following:

Start the Active Directory Users and Computers snap-in or the Active Directory Domains and Trusts snap-in.

Right-click the domain name, and then click Properties.

On the General tab, click Change To Native Mode.

In the Warning dialog box, click Yes and then click OK.


--------------------------------------------------------------------------------

Note - It may take up to 15 minutes for a domain mode change to impact all Windows 2000 domain controllers.