|
|
|
|
11-09-2006, 04:39 PM
|
#1 |
EAP-TLS and GPOs
We have about 500 Cisco Wireless APs managed by a few controllers with
EAP-TLS authentication. Each workstation has a certificate installed to it via GPO and each user must also install a certificate inorder to access the wireless infrastructure. The issues which we are having are 1) Software deployed by GPO is not installing because the computer does not have an IP at the time the software is installing -- pre-userlogin. 2) User's mapped drives are not getting mapped because the workstation is not technicaly connected at the time of login. 3) Workstation login scripts are not running. We rely very heavily on all three of these tasks in our environment. We have experimented with KB Article http://support.microsoft.com/?id=840669 and the value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -- GpNetworkStartTimeoutPolicyValue. However, I am getting mixed results with it. None of which apply or re-apply GPOs, software or scripts. It appears that if it does not see a network, it does not wait for the network. We have also set the GPO to Always Wait for Network before logging in but have not seen this fix the issue etiher. Finally, we have set the cachedlogonscount to 0 but cannot log in with a domain account at all. Any suggestings for applying our GPOs over this type of wireless network? Thanks. Bart Perrier Bart Perrier |
|
|
|
11-09-2006, 06:09 PM
|
#2 |
|
Posts: n/a
|
Re: EAP-TLS and GPOs
Bart
I think you need to use a third party Supplicant like Juniper (formerly Oddysey) or Aegis. Oddysey make a replacement in GINA to allow pre-user Authentication, in order to the machines are authenticated before the user logins. Hope this helps. Oscar Soto Casali MVP Directory Services "Bart Perrier" <> escribió en el mensaje de noticias:%23W% ... > We have about 500 Cisco Wireless APs managed by a few controllers with > EAP-TLS authentication. Each workstation has a certificate installed to it > via GPO and each user must also install a certificate inorder to access > the wireless infrastructure. The issues which we are having are > > 1) Software deployed by GPO is not installing because the computer does > not have an IP at the time the software is installing -- pre-userlogin. > 2) User's mapped drives are not getting mapped because the workstation is > not technicaly connected at the time of login. > 3) Workstation login scripts are not running. > > We rely very heavily on all three of these tasks in our environment. We > have experimented with KB Article http://support.microsoft.com/?id=840669 > and the value in HKLM\SOFTWARE\Microsoft\Windows > NT\CurrentVersion\Winlogon -- GpNetworkStartTimeoutPolicyValue. However, > I am getting mixed results with it. None of which apply or re-apply GPOs, > software or scripts. It appears that if it does not see a network, it does > not wait for the network. We have also set the GPO to Always Wait for > Network before logging in but have not seen this fix the issue etiher. > Finally, we have set the cachedlogonscount to 0 but cannot log in with a > domain account at all. > > Any suggestings for applying our GPOs over this type of wireless network? > > Thanks. > > Bart Perrier > > OscarSotoCL |
|
|
|
11-09-2006, 09:59 PM
|
#3 |
|
Posts: n/a
|
Re: EAP-TLS and GPOs
Our authentication is working correctly but my policies are not applying,
unless they are tatooed in the registry, and any new configuration we need to deploy post-implementation, via script, GPO, or software deployment, is not occuring. "OscarSotoCL" <> wrote in message news:... > Bart > > I think you need to use a third party Supplicant like Juniper (formerly > Oddysey) or Aegis. > Oddysey make a replacement in GINA to allow pre-user Authentication, in > order to the machines are authenticated before the user logins. > > Hope this helps. > > Oscar Soto Casali > MVP Directory Services > > > "Bart Perrier" <> escribió en el mensaje de > noticias:%23W% ... >> We have about 500 Cisco Wireless APs managed by a few controllers with >> EAP-TLS authentication. Each workstation has a certificate installed to >> it via GPO and each user must also install a certificate inorder to >> access the wireless infrastructure. The issues which we are having are >> >> 1) Software deployed by GPO is not installing because the computer does >> not have an IP at the time the software is installing -- pre-userlogin. >> 2) User's mapped drives are not getting mapped because the workstation is >> not technicaly connected at the time of login. >> 3) Workstation login scripts are not running. >> >> We rely very heavily on all three of these tasks in our environment. We >> have experimented with KB Article http://support.microsoft.com/?id=840669 >> and the value in HKLM\SOFTWARE\Microsoft\Windows >> NT\CurrentVersion\Winlogon -- GpNetworkStartTimeoutPolicyValue. However, >> I am getting mixed results with it. None of which apply or re-apply GPOs, >> software or scripts. It appears that if it does not see a network, it >> does not wait for the network. We have also set the GPO to Always Wait >> for Network before logging in but have not seen this fix the issue >> etiher. Finally, we have set the cachedlogonscount to 0 but cannot log in >> with a domain account at all. >> >> Any suggestings for applying our GPOs over this type of wireless network? >> >> Thanks. >> >> Bart Perrier >> >> > Bart Perrier |
|
|
