Wireless - and logon script timing

[navigat0]

Hey all, happy holidays!

We're using 802.1x with our wireless connections here - that obviously requires user credentials in real time. The problem is the timing with our logon scripts is way off for users who are on the wireless connection. I've been messing around with a couple of ideas, but would like to hear some other input.

Problem:
Users start laptops and wireless connection is found, however since we use 802.1x (RADIUS) authentication based on domain usernames and passwords, the laptops aren't authenticated until the user is logged in (using cached credentials). At that time, the wireless authetication succeeds, and the laptop proceeds obtaining an IP via DHCP. Of course by the time all of this is said and done the client is already logged on, but since they logged on using cached credentials the domain logon script never runs.

 

[wdoellefeld]

Ahh, the old wireless gotcha.

See this thread here

http://www.tek-tips.com/viewthread.cfm?qid=965402

I have the same issue and have asked the same question many many times on many board. I even blew a couple thousand points at Experts Exchange and there is no fix I have found for this. Until someone finds or creates a way to globally within windows assign a profile, etc I guess we are out of luck. Of course, I really hope someone tells me I'm totally wrong and have just been unlucky in finding the answer. Until then I've had to except it.



FRCP

http://www.frcp.net

 

[navigat0]

I had read the thread you mention - Thanks! I am currently testing the "sleep" solution, but have found that like you say it will be a tough one to handle.

We use both Computer and Users certificates on the clients so even when a user is not logged on, the client is authenticated. Unfortunately as the user logs on and the authetication changes to using the user cert there is a temporary "Down Time" and this can cause the script not to run. This is why I think the sleep my hhelp things out a bit.

 

[TonelocMT]

I followed the instructions at the following link with two small changes, and I am now able to have my laptops connected to the WLAN even when no one is logged on to them.

http://www.pctechnicians.ca/help/8021x.html

One part I did not do was the unchecking of the box mentioned in this section of the wireless client Authentication tab, EAP MSCHAPv2 properties.

"Click the properties button
Authentication Method: Secured password (EAP-MSCHAPv2)
Click the configure button
Uncheck the windows logon name and password box"

I also unchecked the "Authenticate as guest when user or computer information is not available" on the wireless client Authentication tab.

As described in the instructions, I created a Security group in Active Directory and added all of the users I wished to give access to the WLAN. But I also added all of the laptop's computernames as well. This allowed the laptop itself to authenticate to the RADIUS server and the WAP via group membership.

We are using Gateway 7001 access points, but the instruction in the link describe the scenario with Linksys and Dlink as well. The procedure should work with any WAP that can use WPA with an external RADIUS server, as long as that RADIUS server integrates with Active Directory.

The laptops are Gateway's and HP's running XP Pro, and they all have integrated Broadcom wireless NIC's. I believe that everything should work the same for Windows 2000 Pro as well.

All of my Group Policy's and logon scripts, such as my Software Update Server settings and the drive mappings, are working properly this way as well.

Although, in case you run into some of your policy's not being applied during startup, here is an excerpt from a post in another forum discussing a similar issue.
------------
"1. The WAP54G will work fine. I should note that for both a router or access point with built-in DHCP server, you likely want to disable this in a Domain setting and allow the Domain DHCP server to provide IP addresses.

2. For Windows XP clients the asyncronous loading of networking during the boot up process can pose an issue. This speeds up the login process in a stand-alone workstation by allowing the user to log in with cached logon credentials before the network is fully ready.

To disable this "feature" and restore normal domain logons, open the MMC and add the group policy snap-in. Under Computer Configuration-->Administrative Templates-->System-->Logon, change "Always wait for the network at computer startup and logon" to ENABLED.

This can be fed to clients via a group policy from a Windows 2000 server by upgrading the standard policy template with the XP policy template. Since this is an XP only command, non-XP systems will ignore it in a domain distributed group policy.

3. There are no special Group Policy needs posed by wireless networking.

4. The only thing to be extra careful about is that any WINS database and the DNS server for the Domain need to be reconciled for any changes you make. If you continue to use your Domain DHCP server, and you should, there should not be a problem. If this is the first time you are introducing internet access to the Domain, be sure to make the DNS server entries for forwarders to either the DNS proxy in the wired router (192.168.1.1 in the example above) or to your ISPs DNS servers."
-------------

I have VNC installed on all of the laptop's and I am now able to connect to them whether they are in a logged on or off state.

Hope this helps!