Wireless and Windows roaming profiles

Discussion in 'Wireless Networking' started by =?Utf-8?B?SXZv?=, Feb 3, 2005.

  1. I've set up a secure wireless infrastructure on SBS2000, it's small and I
    test it on one ACER TM803LMi (with the Intel 2100 built-in). It works with
    certificates etc. When I disconnect the cable and restart the PC, then the
    user apparently gets logged on with its cached credentials and then the wifi
    comes up. There was a warning (cannot find your roaming profile) also. So the
    end result is connectivity but no use of the roaming profile and also the
    user's netlogon script (net use etc) was not executed.
    Can wireless connection be combined with roaming profiles?

    Thanks, Ivo
     
    =?Utf-8?B?SXZv?=, Feb 3, 2005
    #1
    1. Advertising

  2. =?Utf-8?B?SXZv?=

    Mark Gamache Guest

    Ivo,

    This is partly reliant on your hardware and partly on your remote access
    policy and group membership. Not all wireless hardware will associate to
    the AP and authenticate without a user logged in. Most will retain the
    settings of the last user. Assuming that your hardware supports it, you
    need the computer to be able to log in using its machine account. This
    means that the computer accounts need to be a member of the wireless group
    that you are adding your users too. If you are using certificates for TLS,
    then you will need to make sure the computers have machine certificates.

    Once you do this, the computer will authenticate to the AP when it boots.
    This will allow for your users to log into the domain instead of using their
    cached creds.

    Cheers,


    --
    Mark Gamache
    Certified Security Solutions
    http://www.css-security.com



    "Ivo" <> wrote in message
    news:...
    > I've set up a secure wireless infrastructure on SBS2000, it's small and I
    > test it on one ACER TM803LMi (with the Intel 2100 built-in). It works
    > with
    > certificates etc. When I disconnect the cable and restart the PC, then the
    > user apparently gets logged on with its cached credentials and then the
    > wifi
    > comes up. There was a warning (cannot find your roaming profile) also. So
    > the
    > end result is connectivity but no use of the roaming profile and also the
    > user's netlogon script (net use etc) was not executed.
    > Can wireless connection be combined with roaming profiles?
    >
    > Thanks, Ivo
     
    Mark Gamache, Feb 3, 2005
    #2
    1. Advertising

  3. Thank you. It's good to know that it should work ;-)

    I've read some more articles on this as well as your explanation, and the
    problem may be related to an outdated driver on my Acer TM803LMi, it has the
    Intel 2100 (b-mode) built-in. I will update the driver tomorrow, the computer
    account is part of the wirelless group, and the machine certificate is on the
    client computer OK.
    The outdated driver doesn't show the WPA option in the network
    authentication drop down box...

    Thank you very much for your reply,
    Ivo

    "Mark Gamache" wrote:

    > Ivo,
    >
    > This is partly reliant on your hardware and partly on your remote access
    > policy and group membership. Not all wireless hardware will associate to
    > the AP and authenticate without a user logged in. Most will retain the
    > settings of the last user. Assuming that your hardware supports it, you
    > need the computer to be able to log in using its machine account. This
    > means that the computer accounts need to be a member of the wireless group
    > that you are adding your users too. If you are using certificates for TLS,
    > then you will need to make sure the computers have machine certificates.
    >
    > Once you do this, the computer will authenticate to the AP when it boots.
    > This will allow for your users to log into the domain instead of using their
    > cached creds.
    >
    > Cheers,
    >
    >
    > --
    > Mark Gamache
    > Certified Security Solutions
    > http://www.css-security.com
    >
    >
    >
    > "Ivo" <> wrote in message
    > news:...
    > > I've set up a secure wireless infrastructure on SBS2000, it's small and I
    > > test it on one ACER TM803LMi (with the Intel 2100 built-in). It works
    > > with
    > > certificates etc. When I disconnect the cable and restart the PC, then the
    > > user apparently gets logged on with its cached credentials and then the
    > > wifi
    > > comes up. There was a warning (cannot find your roaming profile) also. So
    > > the
    > > end result is connectivity but no use of the roaming profile and also the
    > > user's netlogon script (net use etc) was not executed.
    > > Can wireless connection be combined with roaming profiles?
    > >
    > > Thanks, Ivo

    >
    >
    >
     
    =?Utf-8?B?SXZv?=, Feb 3, 2005
    #3
  4. Hello Mark,

    I've upgraded to the latest available Intel 2100b driver found on the Acer
    TM803LMi support site. Afterwards I could choose WPA/TKIP in my WXPSP2
    notebook and I changed the settings on the Linksys WAP54G accordingly. When
    the notebook is restarted (disconnected from the wired network), I'm
    presented with the logon dialogue and then (after OK) it takes some time, but
    unfortunately the message about not being able to reach the roaming profile
    reappears. And once logged on, the drive letters to network shares are not
    available (I do NET USE to get the list, it's empty). When I then
    logoff/logon, the situation is different. THis time it takes the roaming
    profile and NET USE shows the drive letters my user likes. But the letters
    still do not appear in his Windows Explorer / My Computer, this takes extra
    time, but eventually they become available with no extra actions.

    Still some questions about this:
    - is this the best result I can obtain or can we do better?
    - would it work with the roaming profile also after a notebook restart (i.e
    on the first logon)
    - would there be a sign indicating that the computer connected OK to the
    domain, or how does the user know how long to wait before clicking OK on the
    logon dialog.

    Suggestions on how to proceed are very much ppreciated, thanks in advance,
    Ivo

    "Mark Gamache" wrote:

    > Ivo,
    >
    > This is partly reliant on your hardware and partly on your remote access
    > policy and group membership. Not all wireless hardware will associate to
    > the AP and authenticate without a user logged in. Most will retain the
    > settings of the last user. Assuming that your hardware supports it, you
    > need the computer to be able to log in using its machine account. This
    > means that the computer accounts need to be a member of the wireless group
    > that you are adding your users too. If you are using certificates for TLS,
    > then you will need to make sure the computers have machine certificates.
    >
    > Once you do this, the computer will authenticate to the AP when it boots.
    > This will allow for your users to log into the domain instead of using their
    > cached creds.
    >
    > Cheers,
    >
    >
    > --
    > Mark Gamache
    > Certified Security Solutions
    > http://www.css-security.com
    >
    >
    >
    > "Ivo" <> wrote in message
    > news:...
    > > I've set up a secure wireless infrastructure on SBS2000, it's small and I
    > > test it on one ACER TM803LMi (with the Intel 2100 built-in). It works
    > > with
    > > certificates etc. When I disconnect the cable and restart the PC, then the
    > > user apparently gets logged on with its cached credentials and then the
    > > wifi
    > > comes up. There was a warning (cannot find your roaming profile) also. So
    > > the
    > > end result is connectivity but no use of the roaming profile and also the
    > > user's netlogon script (net use etc) was not executed.
    > > Can wireless connection be combined with roaming profiles?
    > >
    > > Thanks, Ivo

    >
    >
    >
     
    =?Utf-8?B?SXZv?=, Feb 7, 2005
    #4
  5. =?Utf-8?B?SXZv?=

    Mark Gamache Guest

    Based on your description, I am sure you are not passing 802.1X
    authentication until after the user is logged in. If these laptops are
    going to always be wireless, you will have to resolve the issue. If its not
    resolved, your machine group policy won't work and various things such as
    mapped drives and password expiration warnings will not be generated.

    The first place to start is your IAS logs. Boot the laptop but don't login.
    Check your IAS logs to see if the computer account is trying to connect. I
    use this app to look at the logs. Its free to try.
    http://www.deepsoftware.ru/iasviewer/ It makes them much easier to read.

    If the laptop doesn't even try to connect (there are no logs of it
    attempting to auth. to the IAS server) then its likely that your Intel NIC
    or the app running it is not allowing it to associate to the AP until
    someone is logged in. This is unlikely as the Intel 2100 should work
    correctly. If the logs show an attempted connect that fails, then you
    simply verify why it is failing. The logs are likely to answer that
    question for you.

    I suspect the logs will tell you exactly what is going on. Its likely that
    not remote access policies apply to the computer's security context.
    Remember, the computer has an account in the domain that it uses to
    automatically log its self in to the domain with. This account needs to
    have the appropriate group membership etc to pass your remote access policy.

    Cheers,

    --
    Mark Gamache
    Certified Security Solutions
    http://www.css-security.com



    "Ivo" <> wrote in message
    news:...
    > Hello Mark,
    >
    > I've upgraded to the latest available Intel 2100b driver found on the Acer
    > TM803LMi support site. Afterwards I could choose WPA/TKIP in my WXPSP2
    > notebook and I changed the settings on the Linksys WAP54G accordingly.
    > When
    > the notebook is restarted (disconnected from the wired network), I'm
    > presented with the logon dialogue and then (after OK) it takes some time,
    > but
    > unfortunately the message about not being able to reach the roaming
    > profile
    > reappears. And once logged on, the drive letters to network shares are not
    > available (I do NET USE to get the list, it's empty). When I then
    > logoff/logon, the situation is different. THis time it takes the roaming
    > profile and NET USE shows the drive letters my user likes. But the letters
    > still do not appear in his Windows Explorer / My Computer, this takes
    > extra
    > time, but eventually they become available with no extra actions.
    >
    > Still some questions about this:
    > - is this the best result I can obtain or can we do better?
    > - would it work with the roaming profile also after a notebook restart
    > (i.e
    > on the first logon)
    > - would there be a sign indicating that the computer connected OK to the
    > domain, or how does the user know how long to wait before clicking OK on
    > the
    > logon dialog.
    >
    > Suggestions on how to proceed are very much ppreciated, thanks in advance,
    > Ivo
    >
    > "Mark Gamache" wrote:
    >
    >> Ivo,
    >>
    >> This is partly reliant on your hardware and partly on your remote access
    >> policy and group membership. Not all wireless hardware will associate to
    >> the AP and authenticate without a user logged in. Most will retain the
    >> settings of the last user. Assuming that your hardware supports it, you
    >> need the computer to be able to log in using its machine account. This
    >> means that the computer accounts need to be a member of the wireless
    >> group
    >> that you are adding your users too. If you are using certificates for
    >> TLS,
    >> then you will need to make sure the computers have machine certificates.
    >>
    >> Once you do this, the computer will authenticate to the AP when it boots.
    >> This will allow for your users to log into the domain instead of using
    >> their
    >> cached creds.
    >>
    >> Cheers,
    >>
    >>
    >> --
    >> Mark Gamache
    >> Certified Security Solutions
    >> http://www.css-security.com
    >>
    >>
    >>
    >> "Ivo" <> wrote in message
    >> news:...
    >> > I've set up a secure wireless infrastructure on SBS2000, it's small and
    >> > I
    >> > test it on one ACER TM803LMi (with the Intel 2100 built-in). It works
    >> > with
    >> > certificates etc. When I disconnect the cable and restart the PC, then
    >> > the
    >> > user apparently gets logged on with its cached credentials and then the
    >> > wifi
    >> > comes up. There was a warning (cannot find your roaming profile) also.
    >> > So
    >> > the
    >> > end result is connectivity but no use of the roaming profile and also
    >> > the
    >> > user's netlogon script (net use etc) was not executed.
    >> > Can wireless connection be combined with roaming profiles?
    >> >
    >> > Thanks, Ivo

    >>
    >>
    >>
     
    Mark Gamache, Feb 7, 2005
    #5
  6. You were right about not passing 802.1X authentication based on host
    verification. I looked into the IAS log and the computer account is not
    trying to connect. In the properties of the wireless connection, there's the
    Verification (i have it here in Dutch language so the english wording may be
    not exactly as my translation) tab and there's IEEE 802.1X verification is
    enabled, EAP type is smartcard or other certificate and the check box "verify
    as computer when computer information is available" is selected all right.
    But there's nothing in the IAS log about the computer trying to connect...

    So I'm afraid this is the unlikely option in your diagnosis...
    Thanks for your assistance, where do we go from here?

    Ivo

    P.S. I've tried to run tests with another notebook at home against a SBS2003
    installation but ran into a certification problem, so I'll start a new thread
    for that one.

    "Mark Gamache" wrote:

    > Based on your description, I am sure you are not passing 802.1X
    > authentication until after the user is logged in. If these laptops are
    > going to always be wireless, you will have to resolve the issue. If its not
    > resolved, your machine group policy won't work and various things such as
    > mapped drives and password expiration warnings will not be generated.
    >
    > The first place to start is your IAS logs. Boot the laptop but don't login.
    > Check your IAS logs to see if the computer account is trying to connect. I
    > use this app to look at the logs. Its free to try.
    > http://www.deepsoftware.ru/iasviewer/ It makes them much easier to read.
    >
    > If the laptop doesn't even try to connect (there are no logs of it
    > attempting to auth. to the IAS server) then its likely that your Intel NIC
    > or the app running it is not allowing it to associate to the AP until
    > someone is logged in. This is unlikely as the Intel 2100 should work
    > correctly. If the logs show an attempted connect that fails, then you
    > simply verify why it is failing. The logs are likely to answer that
    > question for you.
    >
    > I suspect the logs will tell you exactly what is going on. Its likely that
    > not remote access policies apply to the computer's security context.
    > Remember, the computer has an account in the domain that it uses to
    > automatically log its self in to the domain with. This account needs to
    > have the appropriate group membership etc to pass your remote access policy.
    >
    > Cheers,
    >
    > --
    > Mark Gamache
    > Certified Security Solutions
    > http://www.css-security.com
    >
    >
    >
    > "Ivo" <> wrote in message
    > news:...
    > > Hello Mark,
    > >
    > > I've upgraded to the latest available Intel 2100b driver found on the Acer
    > > TM803LMi support site. Afterwards I could choose WPA/TKIP in my WXPSP2
    > > notebook and I changed the settings on the Linksys WAP54G accordingly.
    > > When
    > > the notebook is restarted (disconnected from the wired network), I'm
    > > presented with the logon dialogue and then (after OK) it takes some time,
    > > but
    > > unfortunately the message about not being able to reach the roaming
    > > profile
    > > reappears. And once logged on, the drive letters to network shares are not
    > > available (I do NET USE to get the list, it's empty). When I then
    > > logoff/logon, the situation is different. THis time it takes the roaming
    > > profile and NET USE shows the drive letters my user likes. But the letters
    > > still do not appear in his Windows Explorer / My Computer, this takes
    > > extra
    > > time, but eventually they become available with no extra actions.
    > >
    > > Still some questions about this:
    > > - is this the best result I can obtain or can we do better?
    > > - would it work with the roaming profile also after a notebook restart
    > > (i.e
    > > on the first logon)
    > > - would there be a sign indicating that the computer connected OK to the
    > > domain, or how does the user know how long to wait before clicking OK on
    > > the
    > > logon dialog.
    > >
    > > Suggestions on how to proceed are very much ppreciated, thanks in advance,
    > > Ivo
    > >
    > > "Mark Gamache" wrote:
    > >
    > >> Ivo,
    > >>
    > >> This is partly reliant on your hardware and partly on your remote access
    > >> policy and group membership. Not all wireless hardware will associate to
    > >> the AP and authenticate without a user logged in. Most will retain the
    > >> settings of the last user. Assuming that your hardware supports it, you
    > >> need the computer to be able to log in using its machine account. This
    > >> means that the computer accounts need to be a member of the wireless
    > >> group
    > >> that you are adding your users too. If you are using certificates for
    > >> TLS,
    > >> then you will need to make sure the computers have machine certificates.
    > >>
    > >> Once you do this, the computer will authenticate to the AP when it boots.
    > >> This will allow for your users to log into the domain instead of using
    > >> their
    > >> cached creds.
    > >>
    > >> Cheers,
    > >>
    > >>
    > >> --
    > >> Mark Gamache
    > >> Certified Security Solutions
    > >> http://www.css-security.com
    > >>
    > >>
    > >>
    > >> "Ivo" <> wrote in message
    > >> news:...
    > >> > I've set up a secure wireless infrastructure on SBS2000, it's small and
    > >> > I
    > >> > test it on one ACER TM803LMi (with the Intel 2100 built-in). It works
    > >> > with
    > >> > certificates etc. When I disconnect the cable and restart the PC, then
    > >> > the
    > >> > user apparently gets logged on with its cached credentials and then the
    > >> > wifi
    > >> > comes up. There was a warning (cannot find your roaming profile) also.
    > >> > So
    > >> > the
    > >> > end result is connectivity but no use of the roaming profile and also
    > >> > the
    > >> > user's netlogon script (net use etc) was not executed.
    > >> > Can wireless connection be combined with roaming profiles?
    > >> >
    > >> > Thanks, Ivo
    > >>
    > >>
    > >>

    >
    >
    >
     
    =?Utf-8?B?SXZv?=, Feb 10, 2005
    #6
  7. =?Utf-8?B?SXZv?=

    Mark Gamache Guest

    Are you using smartcards or software certificates? How are the machine
    certificates provisioned? I skimmed back through your posts and didn't see
    any reference to the machine certs. You have to have them.

    --
    Mark Gamache
    Certified Security Solutions
    http://www.css-security.com



    "Ivo" <> wrote in message
    news:D...
    > You were right about not passing 802.1X authentication based on host
    > verification. I looked into the IAS log and the computer account is not
    > trying to connect. In the properties of the wireless connection, there's
    > the
    > Verification (i have it here in Dutch language so the english wording may
    > be
    > not exactly as my translation) tab and there's IEEE 802.1X verification is
    > enabled, EAP type is smartcard or other certificate and the check box
    > "verify
    > as computer when computer information is available" is selected all right.
    > But there's nothing in the IAS log about the computer trying to connect...
    >
    > So I'm afraid this is the unlikely option in your diagnosis...
    > Thanks for your assistance, where do we go from here?
    >
    > Ivo
    >
    > P.S. I've tried to run tests with another notebook at home against a
    > SBS2003
    > installation but ran into a certification problem, so I'll start a new
    > thread
    > for that one.
    >
    > "Mark Gamache" wrote:
    >
    >> Based on your description, I am sure you are not passing 802.1X
    >> authentication until after the user is logged in. If these laptops are
    >> going to always be wireless, you will have to resolve the issue. If its
    >> not
    >> resolved, your machine group policy won't work and various things such as
    >> mapped drives and password expiration warnings will not be generated.
    >>
    >> The first place to start is your IAS logs. Boot the laptop but don't
    >> login.
    >> Check your IAS logs to see if the computer account is trying to connect.
    >> I
    >> use this app to look at the logs. Its free to try.
    >> http://www.deepsoftware.ru/iasviewer/ It makes them much easier to read.
    >>
    >> If the laptop doesn't even try to connect (there are no logs of it
    >> attempting to auth. to the IAS server) then its likely that your Intel
    >> NIC
    >> or the app running it is not allowing it to associate to the AP until
    >> someone is logged in. This is unlikely as the Intel 2100 should work
    >> correctly. If the logs show an attempted connect that fails, then you
    >> simply verify why it is failing. The logs are likely to answer that
    >> question for you.
    >>
    >> I suspect the logs will tell you exactly what is going on. Its likely
    >> that
    >> not remote access policies apply to the computer's security context.
    >> Remember, the computer has an account in the domain that it uses to
    >> automatically log its self in to the domain with. This account needs to
    >> have the appropriate group membership etc to pass your remote access
    >> policy.
    >>
    >> Cheers,
    >>
    >> --
    >> Mark Gamache
    >> Certified Security Solutions
    >> http://www.css-security.com
    >>
    >>
    >>
    >> "Ivo" <> wrote in message
    >> news:...
    >> > Hello Mark,
    >> >
    >> > I've upgraded to the latest available Intel 2100b driver found on the
    >> > Acer
    >> > TM803LMi support site. Afterwards I could choose WPA/TKIP in my WXPSP2
    >> > notebook and I changed the settings on the Linksys WAP54G accordingly.
    >> > When
    >> > the notebook is restarted (disconnected from the wired network), I'm
    >> > presented with the logon dialogue and then (after OK) it takes some
    >> > time,
    >> > but
    >> > unfortunately the message about not being able to reach the roaming
    >> > profile
    >> > reappears. And once logged on, the drive letters to network shares are
    >> > not
    >> > available (I do NET USE to get the list, it's empty). When I then
    >> > logoff/logon, the situation is different. THis time it takes the
    >> > roaming
    >> > profile and NET USE shows the drive letters my user likes. But the
    >> > letters
    >> > still do not appear in his Windows Explorer / My Computer, this takes
    >> > extra
    >> > time, but eventually they become available with no extra actions.
    >> >
    >> > Still some questions about this:
    >> > - is this the best result I can obtain or can we do better?
    >> > - would it work with the roaming profile also after a notebook restart
    >> > (i.e
    >> > on the first logon)
    >> > - would there be a sign indicating that the computer connected OK to
    >> > the
    >> > domain, or how does the user know how long to wait before clicking OK
    >> > on
    >> > the
    >> > logon dialog.
    >> >
    >> > Suggestions on how to proceed are very much ppreciated, thanks in
    >> > advance,
    >> > Ivo
    >> >
    >> > "Mark Gamache" wrote:
    >> >
    >> >> Ivo,
    >> >>
    >> >> This is partly reliant on your hardware and partly on your remote
    >> >> access
    >> >> policy and group membership. Not all wireless hardware will associate
    >> >> to
    >> >> the AP and authenticate without a user logged in. Most will retain
    >> >> the
    >> >> settings of the last user. Assuming that your hardware supports it,
    >> >> you
    >> >> need the computer to be able to log in using its machine account.
    >> >> This
    >> >> means that the computer accounts need to be a member of the wireless
    >> >> group
    >> >> that you are adding your users too. If you are using certificates for
    >> >> TLS,
    >> >> then you will need to make sure the computers have machine
    >> >> certificates.
    >> >>
    >> >> Once you do this, the computer will authenticate to the AP when it
    >> >> boots.
    >> >> This will allow for your users to log into the domain instead of using
    >> >> their
    >> >> cached creds.
    >> >>
    >> >> Cheers,
    >> >>
    >> >>
    >> >> --
    >> >> Mark Gamache
    >> >> Certified Security Solutions
    >> >> http://www.css-security.com
    >> >>
    >> >>
    >> >>
    >> >> "Ivo" <> wrote in message
    >> >> news:...
    >> >> > I've set up a secure wireless infrastructure on SBS2000, it's small
    >> >> > and
    >> >> > I
    >> >> > test it on one ACER TM803LMi (with the Intel 2100 built-in). It
    >> >> > works
    >> >> > with
    >> >> > certificates etc. When I disconnect the cable and restart the PC,
    >> >> > then
    >> >> > the
    >> >> > user apparently gets logged on with its cached credentials and then
    >> >> > the
    >> >> > wifi
    >> >> > comes up. There was a warning (cannot find your roaming profile)
    >> >> > also.
    >> >> > So
    >> >> > the
    >> >> > end result is connectivity but no use of the roaming profile and
    >> >> > also
    >> >> > the
    >> >> > user's netlogon script (net use etc) was not executed.
    >> >> > Can wireless connection be combined with roaming profiles?
    >> >> >
    >> >> > Thanks, Ivo
    >> >>
    >> >>
    >> >>

    >>
    >>
    >>
     
    Mark Gamache, Feb 11, 2005
    #7
  8. I understand your remarkts. I'm using software certificates, this PC has both
    user and computer certificates all right. I'll double check it when I get to
    that PC. The machine certificates were provisioned through manual
    certificates, which was successful. I followed the procedures as in hte
    Windows SBS 2003 Administrator's Companion (MS Press book).

    Thanks again, Ivo

    "Mark Gamache" wrote:

    > Are you using smartcards or software certificates? How are the machine
    > certificates provisioned? I skimmed back through your posts and didn't see
    > any reference to the machine certs. You have to have them.
    >
    > --
    > Mark Gamache
    > Certified Security Solutions
    > http://www.css-security.com
    >
    >
    >
    > "Ivo" <> wrote in message
    > news:D...
    > > You were right about not passing 802.1X authentication based on host
    > > verification. I looked into the IAS log and the computer account is not
    > > trying to connect. In the properties of the wireless connection, there's
    > > the
    > > Verification (i have it here in Dutch language so the english wording may
    > > be
    > > not exactly as my translation) tab and there's IEEE 802.1X verification is
    > > enabled, EAP type is smartcard or other certificate and the check box
    > > "verify
    > > as computer when computer information is available" is selected all right.
    > > But there's nothing in the IAS log about the computer trying to connect...
    > >
    > > So I'm afraid this is the unlikely option in your diagnosis...
    > > Thanks for your assistance, where do we go from here?
    > >
    > > Ivo
    > >
    > > P.S. I've tried to run tests with another notebook at home against a
    > > SBS2003
    > > installation but ran into a certification problem, so I'll start a new
    > > thread
    > > for that one.
    > >
    > > "Mark Gamache" wrote:
    > >
    > >> Based on your description, I am sure you are not passing 802.1X
    > >> authentication until after the user is logged in. If these laptops are
    > >> going to always be wireless, you will have to resolve the issue. If its
    > >> not
    > >> resolved, your machine group policy won't work and various things such as
    > >> mapped drives and password expiration warnings will not be generated.
    > >>
    > >> The first place to start is your IAS logs. Boot the laptop but don't
    > >> login.
    > >> Check your IAS logs to see if the computer account is trying to connect.
    > >> I
    > >> use this app to look at the logs. Its free to try.
    > >> http://www.deepsoftware.ru/iasviewer/ It makes them much easier to read.
    > >>
    > >> If the laptop doesn't even try to connect (there are no logs of it
    > >> attempting to auth. to the IAS server) then its likely that your Intel
    > >> NIC
    > >> or the app running it is not allowing it to associate to the AP until
    > >> someone is logged in. This is unlikely as the Intel 2100 should work
    > >> correctly. If the logs show an attempted connect that fails, then you
    > >> simply verify why it is failing. The logs are likely to answer that
    > >> question for you.
    > >>
    > >> I suspect the logs will tell you exactly what is going on. Its likely
    > >> that
    > >> not remote access policies apply to the computer's security context.
    > >> Remember, the computer has an account in the domain that it uses to
    > >> automatically log its self in to the domain with. This account needs to
    > >> have the appropriate group membership etc to pass your remote access
    > >> policy.
    > >>
    > >> Cheers,
    > >>
    > >> --
    > >> Mark Gamache
    > >> Certified Security Solutions
    > >> http://www.css-security.com
    > >>
    > >>
    > >>
    > >> "Ivo" <> wrote in message
    > >> news:...
    > >> > Hello Mark,
    > >> >
    > >> > I've upgraded to the latest available Intel 2100b driver found on the
    > >> > Acer
    > >> > TM803LMi support site. Afterwards I could choose WPA/TKIP in my WXPSP2
    > >> > notebook and I changed the settings on the Linksys WAP54G accordingly.
    > >> > When
    > >> > the notebook is restarted (disconnected from the wired network), I'm
    > >> > presented with the logon dialogue and then (after OK) it takes some
    > >> > time,
    > >> > but
    > >> > unfortunately the message about not being able to reach the roaming
    > >> > profile
    > >> > reappears. And once logged on, the drive letters to network shares are
    > >> > not
    > >> > available (I do NET USE to get the list, it's empty). When I then
    > >> > logoff/logon, the situation is different. THis time it takes the
    > >> > roaming
    > >> > profile and NET USE shows the drive letters my user likes. But the
    > >> > letters
    > >> > still do not appear in his Windows Explorer / My Computer, this takes
    > >> > extra
    > >> > time, but eventually they become available with no extra actions.
    > >> >
    > >> > Still some questions about this:
    > >> > - is this the best result I can obtain or can we do better?
    > >> > - would it work with the roaming profile also after a notebook restart
    > >> > (i.e
    > >> > on the first logon)
    > >> > - would there be a sign indicating that the computer connected OK to
    > >> > the
    > >> > domain, or how does the user know how long to wait before clicking OK
    > >> > on
    > >> > the
    > >> > logon dialog.
    > >> >
    > >> > Suggestions on how to proceed are very much ppreciated, thanks in
    > >> > advance,
    > >> > Ivo
    > >> >
    > >> > "Mark Gamache" wrote:
    > >> >
    > >> >> Ivo,
    > >> >>
    > >> >> This is partly reliant on your hardware and partly on your remote
    > >> >> access
    > >> >> policy and group membership. Not all wireless hardware will associate
    > >> >> to
    > >> >> the AP and authenticate without a user logged in. Most will retain
    > >> >> the
    > >> >> settings of the last user. Assuming that your hardware supports it,
    > >> >> you
    > >> >> need the computer to be able to log in using its machine account.
    > >> >> This
    > >> >> means that the computer accounts need to be a member of the wireless
    > >> >> group
    > >> >> that you are adding your users too. If you are using certificates for
    > >> >> TLS,
    > >> >> then you will need to make sure the computers have machine
    > >> >> certificates.
    > >> >>
    > >> >> Once you do this, the computer will authenticate to the AP when it
    > >> >> boots.
    > >> >> This will allow for your users to log into the domain instead of using
    > >> >> their
    > >> >> cached creds.
    > >> >>
    > >> >> Cheers,
    > >> >>
    > >> >>
    > >> >> --
    > >> >> Mark Gamache
    > >> >> Certified Security Solutions
    > >> >> http://www.css-security.com
    > >> >>
    > >> >>
    > >> >>
    > >> >> "Ivo" <> wrote in message
    > >> >> news:...
    > >> >> > I've set up a secure wireless infrastructure on SBS2000, it's small
    > >> >> > and
    > >> >> > I
    > >> >> > test it on one ACER TM803LMi (with the Intel 2100 built-in). It
    > >> >> > works
    > >> >> > with
    > >> >> > certificates etc. When I disconnect the cable and restart the PC,
    > >> >> > then
    > >> >> > the
    > >> >> > user apparently gets logged on with its cached credentials and then
    > >> >> > the
    > >> >> > wifi
    > >> >> > comes up. There was a warning (cannot find your roaming profile)
    > >> >> > also.
    > >> >> > So
    > >> >> > the
    > >> >> > end result is connectivity but no use of the roaming profile and
    > >> >> > also
    > >> >> > the
    > >> >> > user's netlogon script (net use etc) was not executed.
    > >> >> > Can wireless connection be combined with roaming profiles?
    > >> >> >
    > >> >> > Thanks, Ivo
    > >> >>
    > >> >>
    > >> >>
    > >>
    > >>
    > >>

    >
    >
    >
     
    =?Utf-8?B?SXZv?=, Feb 11, 2005
    #8
  9. In the meanwhile I have it working nicely at another site. That's SBS2003,
    with EAP-TLS and machine connects and then the logon dialogue and after logon
    the user connects. Same equipment: Linksys WAP54G and Intel 2100 chip on the
    client notebook.

    At the site with the problem described in the thread, it's SBS2000, I think
    I made everybody believe it was SBS2003 so far... Anyway, on this
    installation we still have to hope for the better, at the moment user connect
    is OK but no preceding machine connect, nothing is entering the IAS. O how I
    would love to solve this issue...

    Regards, Ivo



    "Ivo" wrote:

    > I understand your remarkts. I'm using software certificates, this PC has both
    > user and computer certificates all right. I'll double check it when I get to
    > that PC. The machine certificates were provisioned through manual
    > certificates, which was successful. I followed the procedures as in hte
    > Windows SBS 2003 Administrator's Companion (MS Press book).
    >
    > Thanks again, Ivo
    >
    > "Mark Gamache" wrote:
    >
    > > Are you using smartcards or software certificates? How are the machine
    > > certificates provisioned? I skimmed back through your posts and didn't see
    > > any reference to the machine certs. You have to have them.
    > >
    > > --
    > > Mark Gamache
    > > Certified Security Solutions
    > > http://www.css-security.com
    > >
    > >
    > >
    > > "Ivo" <> wrote in message
    > > news:D...
    > > > You were right about not passing 802.1X authentication based on host
    > > > verification. I looked into the IAS log and the computer account is not
    > > > trying to connect. In the properties of the wireless connection, there's
    > > > the
    > > > Verification (i have it here in Dutch language so the english wording may
    > > > be
    > > > not exactly as my translation) tab and there's IEEE 802.1X verification is
    > > > enabled, EAP type is smartcard or other certificate and the check box
    > > > "verify
    > > > as computer when computer information is available" is selected all right.
    > > > But there's nothing in the IAS log about the computer trying to connect...
    > > >
    > > > So I'm afraid this is the unlikely option in your diagnosis...
    > > > Thanks for your assistance, where do we go from here?
    > > >
    > > > Ivo
    > > >
    > > > P.S. I've tried to run tests with another notebook at home against a
    > > > SBS2003
    > > > installation but ran into a certification problem, so I'll start a new
    > > > thread
    > > > for that one.
    > > >
    > > > "Mark Gamache" wrote:
    > > >
    > > >> Based on your description, I am sure you are not passing 802.1X
    > > >> authentication until after the user is logged in. If these laptops are
    > > >> going to always be wireless, you will have to resolve the issue. If its
    > > >> not
    > > >> resolved, your machine group policy won't work and various things such as
    > > >> mapped drives and password expiration warnings will not be generated.
    > > >>
    > > >> The first place to start is your IAS logs. Boot the laptop but don't
    > > >> login.
    > > >> Check your IAS logs to see if the computer account is trying to connect.
    > > >> I
    > > >> use this app to look at the logs. Its free to try.
    > > >> http://www.deepsoftware.ru/iasviewer/ It makes them much easier to read.
    > > >>
    > > >> If the laptop doesn't even try to connect (there are no logs of it
    > > >> attempting to auth. to the IAS server) then its likely that your Intel
    > > >> NIC
    > > >> or the app running it is not allowing it to associate to the AP until
    > > >> someone is logged in. This is unlikely as the Intel 2100 should work
    > > >> correctly. If the logs show an attempted connect that fails, then you
    > > >> simply verify why it is failing. The logs are likely to answer that
    > > >> question for you.
    > > >>
    > > >> I suspect the logs will tell you exactly what is going on. Its likely
    > > >> that
    > > >> not remote access policies apply to the computer's security context.
    > > >> Remember, the computer has an account in the domain that it uses to
    > > >> automatically log its self in to the domain with. This account needs to
    > > >> have the appropriate group membership etc to pass your remote access
    > > >> policy.
    > > >>
    > > >> Cheers,
    > > >>
    > > >> --
    > > >> Mark Gamache
    > > >> Certified Security Solutions
    > > >> http://www.css-security.com
    > > >>
    > > >>
    > > >>
    > > >> "Ivo" <> wrote in message
    > > >> news:...
    > > >> > Hello Mark,
    > > >> >
    > > >> > I've upgraded to the latest available Intel 2100b driver found on the
    > > >> > Acer
    > > >> > TM803LMi support site. Afterwards I could choose WPA/TKIP in my WXPSP2
    > > >> > notebook and I changed the settings on the Linksys WAP54G accordingly.
    > > >> > When
    > > >> > the notebook is restarted (disconnected from the wired network), I'm
    > > >> > presented with the logon dialogue and then (after OK) it takes some
    > > >> > time,
    > > >> > but
    > > >> > unfortunately the message about not being able to reach the roaming
    > > >> > profile
    > > >> > reappears. And once logged on, the drive letters to network shares are
    > > >> > not
    > > >> > available (I do NET USE to get the list, it's empty). When I then
    > > >> > logoff/logon, the situation is different. THis time it takes the
    > > >> > roaming
    > > >> > profile and NET USE shows the drive letters my user likes. But the
    > > >> > letters
    > > >> > still do not appear in his Windows Explorer / My Computer, this takes
    > > >> > extra
    > > >> > time, but eventually they become available with no extra actions.
    > > >> >
    > > >> > Still some questions about this:
    > > >> > - is this the best result I can obtain or can we do better?
    > > >> > - would it work with the roaming profile also after a notebook restart
    > > >> > (i.e
    > > >> > on the first logon)
    > > >> > - would there be a sign indicating that the computer connected OK to
    > > >> > the
    > > >> > domain, or how does the user know how long to wait before clicking OK
    > > >> > on
    > > >> > the
    > > >> > logon dialog.
    > > >> >
    > > >> > Suggestions on how to proceed are very much ppreciated, thanks in
    > > >> > advance,
    > > >> > Ivo
    > > >> >
    > > >> > "Mark Gamache" wrote:
    > > >> >
    > > >> >> Ivo,
    > > >> >>
    > > >> >> This is partly reliant on your hardware and partly on your remote
    > > >> >> access
    > > >> >> policy and group membership. Not all wireless hardware will associate
    > > >> >> to
    > > >> >> the AP and authenticate without a user logged in. Most will retain
    > > >> >> the
    > > >> >> settings of the last user. Assuming that your hardware supports it,
    > > >> >> you
    > > >> >> need the computer to be able to log in using its machine account.
    > > >> >> This
    > > >> >> means that the computer accounts need to be a member of the wireless
    > > >> >> group
    > > >> >> that you are adding your users too. If you are using certificates for
    > > >> >> TLS,
    > > >> >> then you will need to make sure the computers have machine
    > > >> >> certificates.
    > > >> >>
    > > >> >> Once you do this, the computer will authenticate to the AP when it
    > > >> >> boots.
    > > >> >> This will allow for your users to log into the domain instead of using
    > > >> >> their
    > > >> >> cached creds.
    > > >> >>
    > > >> >> Cheers,
    > > >> >>
    > > >> >>
    > > >> >> --
    > > >> >> Mark Gamache
    > > >> >> Certified Security Solutions
    > > >> >> http://www.css-security.com
    > > >> >>
    > > >> >>
    > > >> >>
    > > >> >> "Ivo" <> wrote in message
    > > >> >> news:...
    > > >> >> > I've set up a secure wireless infrastructure on SBS2000, it's small
    > > >> >> > and
    > > >> >> > I
    > > >> >> > test it on one ACER TM803LMi (with the Intel 2100 built-in). It
    > > >> >> > works
    > > >> >> > with
    > > >> >> > certificates etc. When I disconnect the cable and restart the PC,
    > > >> >> > then
    > > >> >> > the
    > > >> >> > user apparently gets logged on with its cached credentials and then
    > > >> >> > the
    > > >> >> > wifi
    > > >> >> > comes up. There was a warning (cannot find your roaming profile)
    > > >> >> > also.
    > > >> >> > So
    > > >> >> > the
    > > >> >> > end result is connectivity but no use of the roaming profile and
    > > >> >> > also
    > > >> >> > the
    > > >> >> > user's netlogon script (net use etc) was not executed.
    > > >> >> > Can wireless connection be combined with roaming profiles?
    > > >> >> >
    > > >> >> > Thanks, Ivo
    > > >> >>
    > > >> >>
    > > >> >>
    > > >>
    > > >>
    > > >>

    > >
    > >
    > >
     
    =?Utf-8?B?SXZv?=, Feb 21, 2005
    #9
  10. =?Utf-8?B?SXZv?=

    Mark Gamache Guest

    I reread the thread and am not sure, so I'll ask. Were you able to
    provision a machine certificate on the laptop?

    Does your AP have any logging features that may give EAP related info and
    association info? Before the AP sends you laptops EAP-TLS to the IAS
    server, the wireless client must associate. Then the AP sends and
    EAP-Request-Identity, which I'm sure this is working if you are getting on
    with user certs. You laptop should send and EAP-Response-Identity. The
    response is based on the setup of your wireless auth tab. It would help to
    know if your PC is association and if it is seeing and responding to the EAP
    messages. Only when this works does your IAS server get to see traffic.

    Cheers,


    --
    Mark Gamache
    Certified Security Solutions
    http://www.css-security.com



    "Ivo" <> wrote in message
    news:...
    > In the meanwhile I have it working nicely at another site. That's SBS2003,
    > with EAP-TLS and machine connects and then the logon dialogue and after
    > logon
    > the user connects. Same equipment: Linksys WAP54G and Intel 2100 chip on
    > the
    > client notebook.
    >
    > At the site with the problem described in the thread, it's SBS2000, I
    > think
    > I made everybody believe it was SBS2003 so far... Anyway, on this
    > installation we still have to hope for the better, at the moment user
    > connect
    > is OK but no preceding machine connect, nothing is entering the IAS. O how
    > I
    > would love to solve this issue...
    >
    > Regards, Ivo
    >
    >
    >
    > "Ivo" wrote:
    >
    >> I understand your remarkts. I'm using software certificates, this PC has
    >> both
    >> user and computer certificates all right. I'll double check it when I get
    >> to
    >> that PC. The machine certificates were provisioned through manual
    >> certificates, which was successful. I followed the procedures as in hte
    >> Windows SBS 2003 Administrator's Companion (MS Press book).
    >>
    >> Thanks again, Ivo
    >>
    >> "Mark Gamache" wrote:
    >>
    >> > Are you using smartcards or software certificates? How are the machine
    >> > certificates provisioned? I skimmed back through your posts and didn't
    >> > see
    >> > any reference to the machine certs. You have to have them.
    >> >
    >> > --
    >> > Mark Gamache
    >> > Certified Security Solutions
    >> > http://www.css-security.com
    >> >
    >> >
    >> >
    >> > "Ivo" <> wrote in message
    >> > news:D...
    >> > > You were right about not passing 802.1X authentication based on host
    >> > > verification. I looked into the IAS log and the computer account is
    >> > > not
    >> > > trying to connect. In the properties of the wireless connection,
    >> > > there's
    >> > > the
    >> > > Verification (i have it here in Dutch language so the english wording
    >> > > may
    >> > > be
    >> > > not exactly as my translation) tab and there's IEEE 802.1X
    >> > > verification is
    >> > > enabled, EAP type is smartcard or other certificate and the check box
    >> > > "verify
    >> > > as computer when computer information is available" is selected all
    >> > > right.
    >> > > But there's nothing in the IAS log about the computer trying to
    >> > > connect...
    >> > >
    >> > > So I'm afraid this is the unlikely option in your diagnosis...
    >> > > Thanks for your assistance, where do we go from here?
    >> > >
    >> > > Ivo
    >> > >
    >> > > P.S. I've tried to run tests with another notebook at home against a
    >> > > SBS2003
    >> > > installation but ran into a certification problem, so I'll start a
    >> > > new
    >> > > thread
    >> > > for that one.
    >> > >
    >> > > "Mark Gamache" wrote:
    >> > >
    >> > >> Based on your description, I am sure you are not passing 802.1X
    >> > >> authentication until after the user is logged in. If these laptops
    >> > >> are
    >> > >> going to always be wireless, you will have to resolve the issue. If
    >> > >> its
    >> > >> not
    >> > >> resolved, your machine group policy won't work and various things
    >> > >> such as
    >> > >> mapped drives and password expiration warnings will not be
    >> > >> generated.
    >> > >>
    >> > >> The first place to start is your IAS logs. Boot the laptop but
    >> > >> don't
    >> > >> login.
    >> > >> Check your IAS logs to see if the computer account is trying to
    >> > >> connect.
    >> > >> I
    >> > >> use this app to look at the logs. Its free to try.
    >> > >> http://www.deepsoftware.ru/iasviewer/ It makes them much easier to
    >> > >> read.
    >> > >>
    >> > >> If the laptop doesn't even try to connect (there are no logs of it
    >> > >> attempting to auth. to the IAS server) then its likely that your
    >> > >> Intel
    >> > >> NIC
    >> > >> or the app running it is not allowing it to associate to the AP
    >> > >> until
    >> > >> someone is logged in. This is unlikely as the Intel 2100 should
    >> > >> work
    >> > >> correctly. If the logs show an attempted connect that fails, then
    >> > >> you
    >> > >> simply verify why it is failing. The logs are likely to answer that
    >> > >> question for you.
    >> > >>
    >> > >> I suspect the logs will tell you exactly what is going on. Its
    >> > >> likely
    >> > >> that
    >> > >> not remote access policies apply to the computer's security context.
    >> > >> Remember, the computer has an account in the domain that it uses to
    >> > >> automatically log its self in to the domain with. This account
    >> > >> needs to
    >> > >> have the appropriate group membership etc to pass your remote access
    >> > >> policy.
    >> > >>
    >> > >> Cheers,
    >> > >>
    >> > >> --
    >> > >> Mark Gamache
    >> > >> Certified Security Solutions
    >> > >> http://www.css-security.com
    >> > >>
    >> > >>
    >> > >>
    >> > >> "Ivo" <> wrote in message
    >> > >> news:...
    >> > >> > Hello Mark,
    >> > >> >
    >> > >> > I've upgraded to the latest available Intel 2100b driver found on
    >> > >> > the
    >> > >> > Acer
    >> > >> > TM803LMi support site. Afterwards I could choose WPA/TKIP in my
    >> > >> > WXPSP2
    >> > >> > notebook and I changed the settings on the Linksys WAP54G
    >> > >> > accordingly.
    >> > >> > When
    >> > >> > the notebook is restarted (disconnected from the wired network),
    >> > >> > I'm
    >> > >> > presented with the logon dialogue and then (after OK) it takes
    >> > >> > some
    >> > >> > time,
    >> > >> > but
    >> > >> > unfortunately the message about not being able to reach the
    >> > >> > roaming
    >> > >> > profile
    >> > >> > reappears. And once logged on, the drive letters to network shares
    >> > >> > are
    >> > >> > not
    >> > >> > available (I do NET USE to get the list, it's empty). When I then
    >> > >> > logoff/logon, the situation is different. THis time it takes the
    >> > >> > roaming
    >> > >> > profile and NET USE shows the drive letters my user likes. But the
    >> > >> > letters
    >> > >> > still do not appear in his Windows Explorer / My Computer, this
    >> > >> > takes
    >> > >> > extra
    >> > >> > time, but eventually they become available with no extra actions.
    >> > >> >
    >> > >> > Still some questions about this:
    >> > >> > - is this the best result I can obtain or can we do better?
    >> > >> > - would it work with the roaming profile also after a notebook
    >> > >> > restart
    >> > >> > (i.e
    >> > >> > on the first logon)
    >> > >> > - would there be a sign indicating that the computer connected OK
    >> > >> > to
    >> > >> > the
    >> > >> > domain, or how does the user know how long to wait before clicking
    >> > >> > OK
    >> > >> > on
    >> > >> > the
    >> > >> > logon dialog.
    >> > >> >
    >> > >> > Suggestions on how to proceed are very much ppreciated, thanks in
    >> > >> > advance,
    >> > >> > Ivo
    >> > >> >
    >> > >> > "Mark Gamache" wrote:
    >> > >> >
    >> > >> >> Ivo,
    >> > >> >>
    >> > >> >> This is partly reliant on your hardware and partly on your remote
    >> > >> >> access
    >> > >> >> policy and group membership. Not all wireless hardware will
    >> > >> >> associate
    >> > >> >> to
    >> > >> >> the AP and authenticate without a user logged in. Most will
    >> > >> >> retain
    >> > >> >> the
    >> > >> >> settings of the last user. Assuming that your hardware supports
    >> > >> >> it,
    >> > >> >> you
    >> > >> >> need the computer to be able to log in using its machine account.
    >> > >> >> This
    >> > >> >> means that the computer accounts need to be a member of the
    >> > >> >> wireless
    >> > >> >> group
    >> > >> >> that you are adding your users too. If you are using
    >> > >> >> certificates for
    >> > >> >> TLS,
    >> > >> >> then you will need to make sure the computers have machine
    >> > >> >> certificates.
    >> > >> >>
    >> > >> >> Once you do this, the computer will authenticate to the AP when
    >> > >> >> it
    >> > >> >> boots.
    >> > >> >> This will allow for your users to log into the domain instead of
    >> > >> >> using
    >> > >> >> their
    >> > >> >> cached creds.
    >> > >> >>
    >> > >> >> Cheers,
    >> > >> >>
    >> > >> >>
    >> > >> >> --
    >> > >> >> Mark Gamache
    >> > >> >> Certified Security Solutions
    >> > >> >> http://www.css-security.com
    >> > >> >>
    >> > >> >>
    >> > >> >>
    >> > >> >> "Ivo" <> wrote in message
    >> > >> >> news:...
    >> > >> >> > I've set up a secure wireless infrastructure on SBS2000, it's
    >> > >> >> > small
    >> > >> >> > and
    >> > >> >> > I
    >> > >> >> > test it on one ACER TM803LMi (with the Intel 2100 built-in).
    >> > >> >> > It
    >> > >> >> > works
    >> > >> >> > with
    >> > >> >> > certificates etc. When I disconnect the cable and restart the
    >> > >> >> > PC,
    >> > >> >> > then
    >> > >> >> > the
    >> > >> >> > user apparently gets logged on with its cached credentials and
    >> > >> >> > then
    >> > >> >> > the
    >> > >> >> > wifi
    >> > >> >> > comes up. There was a warning (cannot find your roaming
    >> > >> >> > profile)
    >> > >> >> > also.
    >> > >> >> > So
    >> > >> >> > the
    >> > >> >> > end result is connectivity but no use of the roaming profile
    >> > >> >> > and
    >> > >> >> > also
    >> > >> >> > the
    >> > >> >> > user's netlogon script (net use etc) was not executed.
    >> > >> >> > Can wireless connection be combined with roaming profiles?
    >> > >> >> >
    >> > >> >> > Thanks, Ivo
    >> > >> >>
    >> > >> >>
    >> > >> >>
    >> > >>
    >> > >>
    >> > >>
    >> >
    >> >
    >> >
     
    Mark Gamache, Feb 22, 2005
    #10
  11. I managed to provision a machine certificate on the user's laptop, some weeks
    ago. Yesterday I went there with my notebok but alas, there was the MMC
    certificate request problem (on my notebook only). So the answer to your
    question is: yes.
    I will look into your protocol sequence in more detail, but this certainly
    happens after the user logs on.
    Thanks for your good advice, next time when I am on the W2K SBS site, I will
    try to make some progress in finding out what's really wrong???
    Thanks again, Ivo
     
    =?Utf-8?B?SXZv?=, Feb 22, 2005
    #11
  12. I have reinstalled the notebook and the problem with requesting certificates
    went awas... Now it seems I'm back at the machine authentication. I actually
    set some EAPOL registry key called Authmode to 2, thereby forcing machine
    authentication only.
    Remember I had user authentication working ok, machine authentication not.

    When I change this registry key to 2, the wireless notebook shows
    "validating identity" and this goes on forever. No reject/accept messages in
    the IAS log, nothing in the IAS system event log. The AP is Linksys WAP54G
    and has almost no logging feauture. THe IAS is a service of the SBS 2003
    does-it-all server. I have requested user and machine certificates.

    Are you still there?
    Thanks,
    Ivo

    "Mark Gamache" wrote:

    > I reread the thread and am not sure, so I'll ask. Were you able to
    > provision a machine certificate on the laptop?
    >
    > Does your AP have any logging features that may give EAP related info and
    > association info? Before the AP sends you laptops EAP-TLS to the IAS
    > server, the wireless client must associate. Then the AP sends and
    > EAP-Request-Identity, which I'm sure this is working if you are getting on
    > with user certs. You laptop should send and EAP-Response-Identity. The
    > response is based on the setup of your wireless auth tab. It would help to
    > know if your PC is association and if it is seeing and responding to the EAP
    > messages. Only when this works does your IAS server get to see traffic.
    >
    > Cheers,
    >
    >
    > --
    > Mark Gamache
    > Certified Security Solutions
    > http://www.css-security.com
    >
    >
    >
    > "Ivo" <> wrote in message
    > news:...
    > > In the meanwhile I have it working nicely at another site. That's SBS2003,
    > > with EAP-TLS and machine connects and then the logon dialogue and after
    > > logon
    > > the user connects. Same equipment: Linksys WAP54G and Intel 2100 chip on
    > > the
    > > client notebook.
    > >
    > > At the site with the problem described in the thread, it's SBS2000, I
    > > think
    > > I made everybody believe it was SBS2003 so far... Anyway, on this
    > > installation we still have to hope for the better, at the moment user
    > > connect
    > > is OK but no preceding machine connect, nothing is entering the IAS. O how
    > > I
    > > would love to solve this issue...
    > >
    > > Regards, Ivo
    > >
    > >
    > >
    > > "Ivo" wrote:
    > >
    > >> I understand your remarkts. I'm using software certificates, this PC has
    > >> both
    > >> user and computer certificates all right. I'll double check it when I get
    > >> to
    > >> that PC. The machine certificates were provisioned through manual
    > >> certificates, which was successful. I followed the procedures as in hte
    > >> Windows SBS 2003 Administrator's Companion (MS Press book).
    > >>
    > >> Thanks again, Ivo
    > >>
    > >> "Mark Gamache" wrote:
    > >>
    > >> > Are you using smartcards or software certificates? How are the machine
    > >> > certificates provisioned? I skimmed back through your posts and didn't
    > >> > see
    > >> > any reference to the machine certs. You have to have them.
    > >> >
    > >> > --
    > >> > Mark Gamache
    > >> > Certified Security Solutions
    > >> > http://www.css-security.com
    > >> >
    > >> >
    > >> >
    > >> > "Ivo" <> wrote in message
    > >> > news:D...
    > >> > > You were right about not passing 802.1X authentication based on host
    > >> > > verification. I looked into the IAS log and the computer account is
    > >> > > not
    > >> > > trying to connect. In the properties of the wireless connection,
    > >> > > there's
    > >> > > the
    > >> > > Verification (i have it here in Dutch language so the english wording
    > >> > > may
    > >> > > be
    > >> > > not exactly as my translation) tab and there's IEEE 802.1X
    > >> > > verification is
    > >> > > enabled, EAP type is smartcard or other certificate and the check box
    > >> > > "verify
    > >> > > as computer when computer information is available" is selected all
    > >> > > right.
    > >> > > But there's nothing in the IAS log about the computer trying to
    > >> > > connect...
    > >> > >
    > >> > > So I'm afraid this is the unlikely option in your diagnosis...
    > >> > > Thanks for your assistance, where do we go from here?
    > >> > >
    > >> > > Ivo
    > >> > >
    > >> > > P.S. I've tried to run tests with another notebook at home against a
    > >> > > SBS2003
    > >> > > installation but ran into a certification problem, so I'll start a
    > >> > > new
    > >> > > thread
    > >> > > for that one.
    > >> > >
    > >> > > "Mark Gamache" wrote:
    > >> > >
    > >> > >> Based on your description, I am sure you are not passing 802.1X
    > >> > >> authentication until after the user is logged in. If these laptops
    > >> > >> are
    > >> > >> going to always be wireless, you will have to resolve the issue. If
    > >> > >> its
    > >> > >> not
    > >> > >> resolved, your machine group policy won't work and various things
    > >> > >> such as
    > >> > >> mapped drives and password expiration warnings will not be
    > >> > >> generated.
    > >> > >>
    > >> > >> The first place to start is your IAS logs. Boot the laptop but
    > >> > >> don't
    > >> > >> login.
    > >> > >> Check your IAS logs to see if the computer account is trying to
    > >> > >> connect.
    > >> > >> I
    > >> > >> use this app to look at the logs. Its free to try.
    > >> > >> http://www.deepsoftware.ru/iasviewer/ It makes them much easier to
    > >> > >> read.
    > >> > >>
    > >> > >> If the laptop doesn't even try to connect (there are no logs of it
    > >> > >> attempting to auth. to the IAS server) then its likely that your
    > >> > >> Intel
    > >> > >> NIC
    > >> > >> or the app running it is not allowing it to associate to the AP
    > >> > >> until
    > >> > >> someone is logged in. This is unlikely as the Intel 2100 should
    > >> > >> work
    > >> > >> correctly. If the logs show an attempted connect that fails, then
    > >> > >> you
    > >> > >> simply verify why it is failing. The logs are likely to answer that
    > >> > >> question for you.
    > >> > >>
    > >> > >> I suspect the logs will tell you exactly what is going on. Its
    > >> > >> likely
    > >> > >> that
    > >> > >> not remote access policies apply to the computer's security context.
    > >> > >> Remember, the computer has an account in the domain that it uses to
    > >> > >> automatically log its self in to the domain with. This account
    > >> > >> needs to
    > >> > >> have the appropriate group membership etc to pass your remote access
    > >> > >> policy.
    > >> > >>
    > >> > >> Cheers,
    > >> > >>
    > >> > >> --
    > >> > >> Mark Gamache
    > >> > >> Certified Security Solutions
    > >> > >> http://www.css-security.com
    > >> > >>
    > >> > >>
    > >> > >>
    > >> > >> "Ivo" <> wrote in message
    > >> > >> news:...
    > >> > >> > Hello Mark,
    > >> > >> >
    > >> > >> > I've upgraded to the latest available Intel 2100b driver found on
    > >> > >> > the
    > >> > >> > Acer
    > >> > >> > TM803LMi support site. Afterwards I could choose WPA/TKIP in my
    > >> > >> > WXPSP2
    > >> > >> > notebook and I changed the settings on the Linksys WAP54G
    > >> > >> > accordingly.
    > >> > >> > When
    > >> > >> > the notebook is restarted (disconnected from the wired network),
    > >> > >> > I'm
    > >> > >> > presented with the logon dialogue and then (after OK) it takes
    > >> > >> > some
    > >> > >> > time,
    > >> > >> > but
    > >> > >> > unfortunately the message about not being able to reach the
    > >> > >> > roaming
    > >> > >> > profile
    > >> > >> > reappears. And once logged on, the drive letters to network shares
    > >> > >> > are
    > >> > >> > not
    > >> > >> > available (I do NET USE to get the list, it's empty). When I then
    > >> > >> > logoff/logon, the situation is different. THis time it takes the
    > >> > >> > roaming
    > >> > >> > profile and NET USE shows the drive letters my user likes. But the
    > >> > >> > letters
    > >> > >> > still do not appear in his Windows Explorer / My Computer, this
    > >> > >> > takes
    > >> > >> > extra
    > >> > >> > time, but eventually they become available with no extra actions.
    > >> > >> >
    > >> > >> > Still some questions about this:
    > >> > >> > - is this the best result I can obtain or can we do better?
    > >> > >> > - would it work with the roaming profile also after a notebook
    > >> > >> > restart
    > >> > >> > (i.e
    > >> > >> > on the first logon)
    > >> > >> > - would there be a sign indicating that the computer connected OK
    > >> > >> > to
    > >> > >> > the
    > >> > >> > domain, or how does the user know how long to wait before clicking
    > >> > >> > OK
    > >> > >> > on
    > >> > >> > the
    > >> > >> > logon dialog.
    > >> > >> >
    > >> > >> > Suggestions on how to proceed are very much ppreciated, thanks in
    > >> > >> > advance,
    > >> > >> > Ivo
    > >> > >> >
    > >> > >> > "Mark Gamache" wrote:
    > >> > >> >
    > >> > >> >> Ivo,
    > >> > >> >>
    > >> > >> >> This is partly reliant on your hardware and partly on your remote
    > >> > >> >> access
    > >> > >> >> policy and group membership. Not all wireless hardware will
    > >> > >> >> associate
    > >> > >> >> to
    > >> > >> >> the AP and authenticate without a user logged in. Most will
    > >> > >> >> retain
    > >> > >> >> the
    > >> > >> >> settings of the last user. Assuming that your hardware supports
    > >> > >> >> it,
    > >> > >> >> you
    > >> > >> >> need the computer to be able to log in using its machine account.
    > >> > >> >> This
    > >> > >> >> means that the computer accounts need to be a member of the
    > >> > >> >> wireless
    > >> > >> >> group
    > >> > >> >> that you are adding your users too. If you are using
    > >> > >> >> certificates for
    > >> > >> >> TLS,
    > >> > >> >> then you will need to make sure the computers have machine
    > >> > >> >> certificates.
    > >> > >> >>
    > >> > >> >> Once you do this, the computer will authenticate to the AP when
    > >> > >> >> it
    > >> > >> >> boots.
    > >> > >> >> This will allow for your users to log into the domain instead of
    > >> > >> >> using
    > >> > >> >> their
    > >> > >> >> cached creds.
    > >> > >> >>
    > >> > >> >> Cheers,
    > >> > >> >>
    > >> > >> >>
    > >> > >> >> --
    > >> > >> >> Mark Gamache
    > >> > >> >> Certified Security Solutions
    > >> > >> >> http://www.css-security.com
    > >> > >> >>
    > >> > >> >>
    > >> > >> >>
    > >> > >> >> "Ivo" <> wrote in message
    > >> > >> >> news:...
    > >> > >> >> > I've set up a secure wireless infrastructure on SBS2000, it's
    > >> > >> >> > small
    > >> > >> >> > and
    > >> > >> >> > I
    > >> > >> >> > test it on one ACER TM803LMi (with the Intel 2100 built-in).
    > >> > >> >> > It
    > >> > >> >> > works
    > >> > >> >> > with
    > >> > >> >> > certificates etc. When I disconnect the cable and restart the
    > >> > >> >> > PC,
    > >> > >> >> > then
    > >> > >> >> > the
    > >> > >> >> > user apparently gets logged on with its cached credentials and
    > >> > >> >> > then
    > >> > >> >> > the
    > >> > >> >> > wifi
    > >> > >> >> > comes up. There was a warning (cannot find your roaming
    > >> > >> >> > profile)
    > >> > >> >> > also.
    > >> > >> >> > So
    > >> > >> >> > the
    > >> > >> >> > end result is connectivity but no use of the roaming profile
    > >> > >> >> > and
    > >> > >> >> > also
    > >> > >> >> > the
    > >> > >> >> > user's netlogon script (net use etc) was not executed.
    > >> > >> >> > Can wireless connection be combined with roaming profiles?
    > >> > >> >> >
    > >> > >> >> > Thanks, Ivo
    > >> > >> >>
    > >> > >> >>
    > >> > >> >>
    > >> > >>
    > >> > >>
    > >> > >>
    > >> >
    > >> >
    > >> >

    >
    >
    >
     
    =?Utf-8?B?SXZv?=, Apr 12, 2005
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. aLTeReGo

    Re: Roaming profiles and WPA using PEAP MS-CHAPv2

    aLTeReGo, Sep 2, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    540
    aLTeReGo
    Sep 2, 2004
  2. Ola Theander
    Replies:
    0
    Views:
    677
    Ola Theander
    Sep 8, 2004
  3. aLTeReGo

    Re: Roaming profiles and WPA using PEAP MS-CHAPv2

    aLTeReGo, Mar 16, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    700
    aLTeReGo
    Mar 16, 2005
  4. Mervin Williams

    Wireless with Roaming Profiles issues

    Mervin Williams, Jun 29, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    1,448
    Mervin Williams
    Jun 29, 2005
  5. SchoolTech

    Windows XP and Roaming Profiles

    SchoolTech, Feb 13, 2005, in forum: NZ Computing
    Replies:
    4
    Views:
    648
    SchoolTech
    Feb 14, 2005
Loading...

Share This Page