WPA2 with 802.1x - network startup too late

Hi, I try to upgrade our XP Notebooks to WPA2 - currently they're working at
WPA with 802.1x Radius Authentication over the IAS Service running on W2K3
Routers are Linksys WRT54GS with the newest firmware 4.50, supporting WPA2
Enterprise

The problems occur during computer startup: As Windows XP is starting the
network, it tries to authenticate with the computer account on the DC - this
works with WPA (1) in nearly 99% of all startups - so it's ok for me.
Interestingly, only Linksys and Cisco WAPs are REALLY capable to support
this, I've tried about 30 WAPs from others (Dlink, Netgear and so on) -
they're all crap...
So I am Linksys biased - well...

BUT - changing to WPA2 is doesn't work, the network starts, wait's about 30
seconds and times out, seeing that because no computer policies from my
group policy settings are applied. So there are 2 possibilities:

1) Linksys WPA2 Enterprise support doesn't work
2) XP SP2 (yes, inkl. hotfix for WPA2 support) has a bug

So - has anyone tried to run WPA2 with Radius Authentication and can tell me
that the network is REALLY started up so that Group Policy applies before
logon? With which HW?

Thanx in adv.

Bernhard

Bernhard Wagner

Would this have any relevance?

http://support.microsoft.com/default...b;en-us;893357

Clark

"Bernhard Wagner" <> wrote in message
news:...
> Hi, I try to upgrade our XP Notebooks to WPA2 - currently they're working
> at WPA with 802.1x Radius Authentication over the IAS Service running on
> W2K3
> Routers are Linksys WRT54GS with the newest firmware 4.50, supporting WPA2
> Enterprise
>
> The problems occur during computer startup: As Windows XP is starting the
> network, it tries to authenticate with the computer account on the DC -
> this works with WPA (1) in nearly 99% of all startups - so it's ok for me.
> Interestingly, only Linksys and Cisco WAPs are REALLY capable to support
> this, I've tried about 30 WAPs from others (Dlink, Netgear and so on) -
> they're all crap...
> So I am Linksys biased - well...
>
> BUT - changing to WPA2 is doesn't work, the network starts, wait's about
> 30 seconds and times out, seeing that because no computer policies from my
> group policy settings are applied. So there are 2 possibilities:
>
> 1) Linksys WPA2 Enterprise support doesn't work
> 2) XP SP2 (yes, inkl. hotfix for WPA2 support) has a bug
>
> So - has anyone tried to run WPA2 with Radius Authentication and can tell
> me that the network is REALLY started up so that Group Policy applies
> before logon? With which HW?
>
> Thanx in adv.
>
> Bernhard
>

Clark

Have you verified that machine authentication is completing prior to the
Winlogon event? Machine authentication must complete for you to have
connectivity before logon. If machine authentication is not completing,
then use the IAS logs to determine if there was a logon failure. Next
verify if the authentication failure is on the client side. This is most
likely a problem with credentials as you may be missing the root certificate
or machine certificate on the client.

There are other aspects to investigate if everything checks out on level.
Please reply back with results of the initial investigation.

--
Jerry Peterson
Windows Network Services - Wireless

This posting is provided "AS IS" with no warranties, and confers no rights.
"Bernhard Wagner" <> wrote in message
news:...
> Hi, I try to upgrade our XP Notebooks to WPA2 - currently they're working
> at WPA with 802.1x Radius Authentication over the IAS Service running on
> W2K3
> Routers are Linksys WRT54GS with the newest firmware 4.50, supporting WPA2
> Enterprise
>
> The problems occur during computer startup: As Windows XP is starting the
> network, it tries to authenticate with the computer account on the DC -
> this works with WPA (1) in nearly 99% of all startups - so it's ok for me.
> Interestingly, only Linksys and Cisco WAPs are REALLY capable to support
> this, I've tried about 30 WAPs from others (Dlink, Netgear and so on) -
> they're all crap...
> So I am Linksys biased - well...
>
> BUT - changing to WPA2 is doesn't work, the network starts, wait's about
> 30 seconds and times out, seeing that because no computer policies from my
> group policy settings are applied. So there are 2 possibilities:
>
> 1) Linksys WPA2 Enterprise support doesn't work
> 2) XP SP2 (yes, inkl. hotfix for WPA2 support) has a bug
>
> So - has anyone tried to run WPA2 with Radius Authentication and can tell
> me that the network is REALLY started up so that Group Policy applies
> before logon? With which HW?
>
> Thanx in adv.
>
> Bernhard
>

Jerry Peterson[MSFT]

Hi Jerry,

thank you for your answer, I think the issue is solved, I flashed the
Linksys WGRT54GS to the new firmware revision 4.70.6 (even the readme says
nothing about changed wpa2 behavior) and computer startup authentication
works now, but it takes a long time (about 30 seconds "starting the network"
box)

I feel that the whole WPA(2) Radius - computer startup machine
authentication story is extremly sensitive, in my opinion MS should work on
that - it's strange that only Cisco-Linksys APs really work in this
configuration and I don't believe it's only the problem of the firmware of
other manufacturers. What's yours or MS's experience with this todays
strongest form of authentication?

Thank you, yours

Bernhard W.

"Jerry Peterson[MSFT]" <> schrieb im Newsbeitrag
news:%...
> Have you verified that machine authentication is completing prior to the
> Winlogon event? Machine authentication must complete for you to have
> connectivity before logon. If machine authentication is not completing,
> then use the IAS logs to determine if there was a logon failure. Next
> verify if the authentication failure is on the client side. This is most
> likely a problem with credentials as you may be missing the root
> certificate or machine certificate on the client.
>
> There are other aspects to investigate if everything checks out on level.
> Please reply back with results of the initial investigation.
>
> --
> Jerry Peterson
> Windows Network Services - Wireless
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> "Bernhard Wagner" <> wrote in message
> news:...
>> Hi, I try to upgrade our XP Notebooks to WPA2 - currently they're working
>> at WPA with 802.1x Radius Authentication over the IAS Service running on
>> W2K3
>> Routers are Linksys WRT54GS with the newest firmware 4.50, supporting
>> WPA2 Enterprise
>>
>> The problems occur during computer startup: As Windows XP is starting the
>> network, it tries to authenticate with the computer account on the DC -
>> this works with WPA (1) in nearly 99% of all startups - so it's ok for
>> me. Interestingly, only Linksys and Cisco WAPs are REALLY capable to
>> support this, I've tried about 30 WAPs from others (Dlink, Netgear and so
>> on) - they're all crap...
>> So I am Linksys biased - well...
>>
>> BUT - changing to WPA2 is doesn't work, the network starts, wait's about
>> 30 seconds and times out, seeing that because no computer policies from
>> my group policy settings are applied. So there are 2 possibilities:
>>
>> 1) Linksys WPA2 Enterprise support doesn't work
>> 2) XP SP2 (yes, inkl. hotfix for WPA2 support) has a bug
>>
>> So - has anyone tried to run WPA2 with Radius Authentication and can tell
>> me that the network is REALLY started up so that Group Policy applies
>> before logon? With which HW?
>>
>> Thanx in adv.
>>
>> Bernhard
>>
>
>

Bernhard Wagner

A wireless sniffer would allow you to diagnose a performance problem with
your equipment. A slow DHCP server is another common culprit.

--
Jerry Peterson
Windows Network Services - Wireless

This posting is provided "AS IS" with no warranties, and confers no rights.
"Bernhard Wagner" <> wrote in message
news:uXmAf5$...
> Hi Jerry,
>
> thank you for your answer, I think the issue is solved, I flashed the
> Linksys WGRT54GS to the new firmware revision 4.70.6 (even the readme says
> nothing about changed wpa2 behavior) and computer startup authentication
> works now, but it takes a long time (about 30 seconds "starting the
> network" box)
>
> I feel that the whole WPA(2) Radius - computer startup machine
> authentication story is extremly sensitive, in my opinion MS should work
> on that - it's strange that only Cisco-Linksys APs really work in this
> configuration and I don't believe it's only the problem of the firmware of
> other manufacturers. What's yours or MS's experience with this todays
> strongest form of authentication?
>
> Thank you, yours
>
> Bernhard W.
>
> "Jerry Peterson[MSFT]" <> schrieb im
> Newsbeitrag news:%...
>> Have you verified that machine authentication is completing prior to the
>> Winlogon event? Machine authentication must complete for you to have
>> connectivity before logon. If machine authentication is not completing,
>> then use the IAS logs to determine if there was a logon failure. Next
>> verify if the authentication failure is on the client side. This is most
>> likely a problem with credentials as you may be missing the root
>> certificate or machine certificate on the client.
>>
>> There are other aspects to investigate if everything checks out on level.
>> Please reply back with results of the initial investigation.
>>
>> --
>> Jerry Peterson
>> Windows Network Services - Wireless
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> "Bernhard Wagner" <> wrote in message
>> news:...
>>> Hi, I try to upgrade our XP Notebooks to WPA2 - currently they're
>>> working at WPA with 802.1x Radius Authentication over the IAS Service
>>> running on W2K3
>>> Routers are Linksys WRT54GS with the newest firmware 4.50, supporting
>>> WPA2 Enterprise
>>>
>>> The problems occur during computer startup: As Windows XP is starting
>>> the network, it tries to authenticate with the computer account on the
>>> DC - this works with WPA (1) in nearly 99% of all startups - so it's ok
>>> for me. Interestingly, only Linksys and Cisco WAPs are REALLY capable to
>>> support this, I've tried about 30 WAPs from others (Dlink, Netgear and
>>> so on) - they're all crap...
>>> So I am Linksys biased - well...
>>>
>>> BUT - changing to WPA2 is doesn't work, the network starts, wait's about
>>> 30 seconds and times out, seeing that because no computer policies from
>>> my group policy settings are applied. So there are 2 possibilities:
>>>
>>> 1) Linksys WPA2 Enterprise support doesn't work
>>> 2) XP SP2 (yes, inkl. hotfix for WPA2 support) has a bug
>>>
>>> So - has anyone tried to run WPA2 with Radius Authentication and can
>>> tell me that the network is REALLY started up so that Group Policy
>>> applies before logon? With which HW?
>>>
>>> Thanx in adv.
>>>
>>> Bernhard
>>>
>>
>>
>
>

Jerry Peterson[MSFT]