Windows 2000 802.1x supplicant problems

[spidey07]

I think this is a known issue...

some computers are wireless only and as such use the windows logon to authenticate to the wireless lan (LEAP). They have no wired access and are desktops. The wireless card is nothing more than a Dell USB external adapter.

The machines login to the domain/wireless just fine. But whenever there are profile or other system management changes the changes don't take because...

1) computer starts up
2) windows starts doing its startup stuff and I think profile stuff happens here
3) this stuff doesn't work because of course the machine hasn't logged in yet/doesn't have an IP
4) Logon screen appears.

any ideas? Something about the 2000 GINA and varying 802.1x supplicants?

 

[nweaver]

Single Sign On...usually provided as part of the driver/utility for the card.

Meetinghouse is (currently) used by many (intel, broadcom) but they have been starting to devolop some in house, and/or move to one of the others.

 

[nightowl]

Spidey, you are correct in that some of the GPO updates to the end user are applied before user logon. Since you are using LEAP, am I correct in that you are using a Cisco wireless cleint, are you using an Intel card/cleint, or some other supplicant? My first initial thought is to try machine authentication (if possible) because then as soon as Windows is up the machine is authenticated and an IP address is give and the GPO settings can be applied. From there AD is used for user authentication.

I can look into more stuff if you need more info.

 

[spidey07]

thanks for the tips.

I don't know the supplicant, but it is a dell 802.11a USB adapter. We normally just use the supplicant supplied with intel cards on thousands of laptops and it works well.

this is a special case/application. I've been trying to find more information on the dell.

This group is looking at workgroup bridges instead, but that seems like an administration nightmare to configure user IDs on the bridges.

 

[nweaver]

the other option is a prelogon profile (that's what it's called on the Intel utility) where you specify credential valid for LEAP, and it is used when no user is logged into the box to maintain network connectivity, and then a profile to start auth after login.

 

[spidey07]

Thanks for all the input. Glad to know weren't the only ones facing this.

Our head active directory guy talked to microsoft. Here's the recommendation:

Apply Microsoft hotfix and set registry key to delay policy application.

So we'll try that and see how it goes.

What I'm gathering is you can approach this problem from the wireless adapter perspective (driver modifies GINA) or from the OS level (hotfixes, registry edits to delay some startup activity until after logon)

The pre-logon profile is a good idea, have to look more into that (well at least MS guy will)

 

[nweaver]

That adapter (I just checked) is CCXV2 compatible only, i.e. no single sign on tested, and I don't think it's supported. Connextent chipset, and pretty crappy adapter.

 

[spidey07]

thanks,

We've been trying to enforce wireless standards on the desktop group. Like that will work.

I'll update when the testing group reports back.

so CCX v3 is needed for single sign-on? The built-in intel cards have been working great.

Overall the wireless infrastructures that I'm building work great. It's the dang clients and all the different adapters/versions that cause headaches. In my mind wireless is still not fully baked - to many changes happening too quickly.

 

[nweaver]

Yes, I would check for V3 compliance (V2 does not test/require single sign on). All the major intel cards (2915, 2200, 3945) are V3, most are nearly V4.

the comment made by my coworker (who ran the v2 tests on that card) involved the words "rubbish" "trash" "waste of time" iirc. He wasn't too impressed.