|
windows
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
EAP-TLS and GPOsEAP-TLS authentication. Each workstation has a certificate installed to it via GPO and each user must also install a certificate inorder to access the wireless infrastructure. The issues which we are having are 1) Software deployed by GPO is not installing because the computer does not have an IP at the time the software is installing -- pre-userlogin. 2) User's mapped drives are not getting mapped because the workstation is not technicaly connected at the time of login. 3) Workstation login scripts are not running. We rely very heavily on all three of these tasks in our environment. We have experimented with KB Article http://support.microsoft.com/?id=840669 and the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -- GpNetworkStartTimeoutPolicyValue. However, I am getting mixed results with it. None of which apply or re-apply GPOs, software or scripts. It appears that if it does not see a network, it does not wait for the network. We have also set the GPO to Always Wait for Network before logging in but have not seen this fix the issue etiher. Finally, we have set the cachedlogonscount to 0 but cannot log in with a domain account at all. Any suggestings for applying our GPOs over this type of wireless network? Thanks. Bart Perrier Bart
I think you need to use a third party Supplicant like Juniper (formerly Oddysey) or Aegis. Oddysey make a replacement in GINA to allow pre-user Authentication, in order to the machines are authenticated before the user logins. Hope this helps. Oscar Soto Casali MVP Directory Services "Bart Perrier" <bart_perr***@hotmail.com> escribió en el mensaje de noticias:%23W%23ju2BBHHA.4***@TK2MSFTNGP02.phx.gbl...Show quoteHide quote > We have about 500 Cisco Wireless APs managed by a few controllers with > EAP-TLS authentication. Each workstation has a certificate installed to it > via GPO and each user must also install a certificate inorder to access > the wireless infrastructure. The issues which we are having are > > 1) Software deployed by GPO is not installing because the computer does > not have an IP at the time the software is installing -- pre-userlogin. > 2) User's mapped drives are not getting mapped because the workstation is > not technicaly connected at the time of login. > 3) Workstation login scripts are not running. > > We rely very heavily on all three of these tasks in our environment. We > have experimented with KB Article http://support.microsoft.com/?id=840669 > and the value in HKLM\SOFTWARE\Microsoft\Windows > NT\CurrentVersion\Winlogon -- GpNetworkStartTimeoutPolicyValue. However, > I am getting mixed results with it. None of which apply or re-apply GPOs, > software or scripts. It appears that if it does not see a network, it does > not wait for the network. We have also set the GPO to Always Wait for > Network before logging in but have not seen this fix the issue etiher. > Finally, we have set the cachedlogonscount to 0 but cannot log in with a > domain account at all. > > Any suggestings for applying our GPOs over this type of wireless network? > > Thanks. > > Bart Perrier > > Our authentication is working correctly but my policies are not applying,
unless they are tatooed in the registry, and any new configuration we need to deploy post-implementation, via script, GPO, or software deployment, is not occuring. Show quoteHide quote "OscarSotoCL" <oscar.s***@activetrainer.cl> wrote in message news:eru1woCBHHA.4680@TK2MSFTNGP04.phx.gbl... > Bart > > I think you need to use a third party Supplicant like Juniper (formerly > Oddysey) or Aegis. > Oddysey make a replacement in GINA to allow pre-user Authentication, in > order to the machines are authenticated before the user logins. > > Hope this helps. > > Oscar Soto Casali > MVP Directory Services > > > "Bart Perrier" <bart_perr***@hotmail.com> escribió en el mensaje de > noticias:%23W%23ju2BBHHA.4***@TK2MSFTNGP02.phx.gbl... >> We have about 500 Cisco Wireless APs managed by a few controllers with >> EAP-TLS authentication. Each workstation has a certificate installed to >> it via GPO and each user must also install a certificate inorder to >> access the wireless infrastructure. The issues which we are having are >> >> 1) Software deployed by GPO is not installing because the computer does >> not have an IP at the time the software is installing -- pre-userlogin. >> 2) User's mapped drives are not getting mapped because the workstation is >> not technicaly connected at the time of login. >> 3) Workstation login scripts are not running. >> >> We rely very heavily on all three of these tasks in our environment. We >> have experimented with KB Article http://support.microsoft.com/?id=840669 >> and the value in HKLM\SOFTWARE\Microsoft\Windows >> NT\CurrentVersion\Winlogon -- GpNetworkStartTimeoutPolicyValue. However, >> I am getting mixed results with it. None of which apply or re-apply GPOs, >> software or scripts. It appears that if it does not see a network, it >> does not wait for the network. We have also set the GPO to Always Wait >> for Network before logging in but have not seen this fix the issue >> etiher. Finally, we have set the cachedlogonscount to 0 but cannot log in >> with a domain account at all. >> >> Any suggestings for applying our GPOs over this type of wireless network? >> >> Thanks. >> >> Bart Perrier >> >> > 
Other interesting topics
Changing from peer-to-peer to server based environment
simple net- cablemodem to desktop to laptop Change Default Wireless behaviour Network storage Controlling which BSSID my W2K client connects to (router + adsl modem) versus (router with built in adsl modem) printing off home printer from laptop? Wireless G on windows xp in a windows 2003 server domain isp cannot assign ip address File transfer & access problem with three computers using a router |
|||||||||||||||||||||||
