WPA2 with 802.1x - network startup too late

Discussion in 'Wireless Networking' started by Bernhard Wagner, Jul 28, 2005.

  1. Hi, I try to upgrade our XP Notebooks to WPA2 - currently they're working at
    WPA with 802.1x Radius Authentication over the IAS Service running on W2K3
    Routers are Linksys WRT54GS with the newest firmware 4.50, supporting WPA2
    Enterprise

    The problems occur during computer startup: As Windows XP is starting the
    network, it tries to authenticate with the computer account on the DC - this
    works with WPA (1) in nearly 99% of all startups - so it's ok for me.
    Interestingly, only Linksys and Cisco WAPs are REALLY capable to support
    this, I've tried about 30 WAPs from others (Dlink, Netgear and so on) -
    they're all crap...
    So I am Linksys biased - well...

    BUT - changing to WPA2 is doesn't work, the network starts, wait's about 30
    seconds and times out, seeing that because no computer policies from my
    group policy settings are applied. So there are 2 possibilities:

    1) Linksys WPA2 Enterprise support doesn't work
    2) XP SP2 (yes, inkl. hotfix for WPA2 support) has a bug

    So - has anyone tried to run WPA2 with Radius Authentication and can tell me
    that the network is REALLY started up so that Group Policy applies before
    logon? With which HW?

    Thanx in adv.

    Bernhard
    Bernhard Wagner, Jul 28, 2005
    #1
    1. Advertising

  2. Bernhard Wagner

    Clark Guest

    Would this have any relevance?

    http://support.microsoft.com/default.aspx?scid=kb;en-us;893357

    Clark

    "Bernhard Wagner" <> wrote in message
    news:...
    > Hi, I try to upgrade our XP Notebooks to WPA2 - currently they're working
    > at WPA with 802.1x Radius Authentication over the IAS Service running on
    > W2K3
    > Routers are Linksys WRT54GS with the newest firmware 4.50, supporting WPA2
    > Enterprise
    >
    > The problems occur during computer startup: As Windows XP is starting the
    > network, it tries to authenticate with the computer account on the DC -
    > this works with WPA (1) in nearly 99% of all startups - so it's ok for me.
    > Interestingly, only Linksys and Cisco WAPs are REALLY capable to support
    > this, I've tried about 30 WAPs from others (Dlink, Netgear and so on) -
    > they're all crap...
    > So I am Linksys biased - well...
    >
    > BUT - changing to WPA2 is doesn't work, the network starts, wait's about
    > 30 seconds and times out, seeing that because no computer policies from my
    > group policy settings are applied. So there are 2 possibilities:
    >
    > 1) Linksys WPA2 Enterprise support doesn't work
    > 2) XP SP2 (yes, inkl. hotfix for WPA2 support) has a bug
    >
    > So - has anyone tried to run WPA2 with Radius Authentication and can tell
    > me that the network is REALLY started up so that Group Policy applies
    > before logon? With which HW?
    >
    > Thanx in adv.
    >
    > Bernhard
    >
    Clark, Jul 28, 2005
    #2
    1. Advertising

  3. Have you verified that machine authentication is completing prior to the
    Winlogon event? Machine authentication must complete for you to have
    connectivity before logon. If machine authentication is not completing,
    then use the IAS logs to determine if there was a logon failure. Next
    verify if the authentication failure is on the client side. This is most
    likely a problem with credentials as you may be missing the root certificate
    or machine certificate on the client.

    There are other aspects to investigate if everything checks out on level.
    Please reply back with results of the initial investigation.

    --
    Jerry Peterson
    Windows Network Services - Wireless

    This posting is provided "AS IS" with no warranties, and confers no rights.
    "Bernhard Wagner" <> wrote in message
    news:...
    > Hi, I try to upgrade our XP Notebooks to WPA2 - currently they're working
    > at WPA with 802.1x Radius Authentication over the IAS Service running on
    > W2K3
    > Routers are Linksys WRT54GS with the newest firmware 4.50, supporting WPA2
    > Enterprise
    >
    > The problems occur during computer startup: As Windows XP is starting the
    > network, it tries to authenticate with the computer account on the DC -
    > this works with WPA (1) in nearly 99% of all startups - so it's ok for me.
    > Interestingly, only Linksys and Cisco WAPs are REALLY capable to support
    > this, I've tried about 30 WAPs from others (Dlink, Netgear and so on) -
    > they're all crap...
    > So I am Linksys biased - well...
    >
    > BUT - changing to WPA2 is doesn't work, the network starts, wait's about
    > 30 seconds and times out, seeing that because no computer policies from my
    > group policy settings are applied. So there are 2 possibilities:
    >
    > 1) Linksys WPA2 Enterprise support doesn't work
    > 2) XP SP2 (yes, inkl. hotfix for WPA2 support) has a bug
    >
    > So - has anyone tried to run WPA2 with Radius Authentication and can tell
    > me that the network is REALLY started up so that Group Policy applies
    > before logon? With which HW?
    >
    > Thanx in adv.
    >
    > Bernhard
    >
    Jerry Peterson[MSFT], Aug 1, 2005
    #3
  4. solved? WPA2 with 802.1x - network startup too late

    Hi Jerry,

    thank you for your answer, I think the issue is solved, I flashed the
    Linksys WGRT54GS to the new firmware revision 4.70.6 (even the readme says
    nothing about changed wpa2 behavior) and computer startup authentication
    works now, but it takes a long time (about 30 seconds "starting the network"
    box)

    I feel that the whole WPA(2) Radius - computer startup machine
    authentication story is extremly sensitive, in my opinion MS should work on
    that - it's strange that only Cisco-Linksys APs really work in this
    configuration and I don't believe it's only the problem of the firmware of
    other manufacturers. What's yours or MS's experience with this todays
    strongest form of authentication?

    Thank you, yours

    Bernhard W.

    "Jerry Peterson[MSFT]" <> schrieb im Newsbeitrag
    news:%...
    > Have you verified that machine authentication is completing prior to the
    > Winlogon event? Machine authentication must complete for you to have
    > connectivity before logon. If machine authentication is not completing,
    > then use the IAS logs to determine if there was a logon failure. Next
    > verify if the authentication failure is on the client side. This is most
    > likely a problem with credentials as you may be missing the root
    > certificate or machine certificate on the client.
    >
    > There are other aspects to investigate if everything checks out on level.
    > Please reply back with results of the initial investigation.
    >
    > --
    > Jerry Peterson
    > Windows Network Services - Wireless
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    > "Bernhard Wagner" <> wrote in message
    > news:...
    >> Hi, I try to upgrade our XP Notebooks to WPA2 - currently they're working
    >> at WPA with 802.1x Radius Authentication over the IAS Service running on
    >> W2K3
    >> Routers are Linksys WRT54GS with the newest firmware 4.50, supporting
    >> WPA2 Enterprise
    >>
    >> The problems occur during computer startup: As Windows XP is starting the
    >> network, it tries to authenticate with the computer account on the DC -
    >> this works with WPA (1) in nearly 99% of all startups - so it's ok for
    >> me. Interestingly, only Linksys and Cisco WAPs are REALLY capable to
    >> support this, I've tried about 30 WAPs from others (Dlink, Netgear and so
    >> on) - they're all crap...
    >> So I am Linksys biased - well...
    >>
    >> BUT - changing to WPA2 is doesn't work, the network starts, wait's about
    >> 30 seconds and times out, seeing that because no computer policies from
    >> my group policy settings are applied. So there are 2 possibilities:
    >>
    >> 1) Linksys WPA2 Enterprise support doesn't work
    >> 2) XP SP2 (yes, inkl. hotfix for WPA2 support) has a bug
    >>
    >> So - has anyone tried to run WPA2 with Radius Authentication and can tell
    >> me that the network is REALLY started up so that Group Policy applies
    >> before logon? With which HW?
    >>
    >> Thanx in adv.
    >>
    >> Bernhard
    >>

    >
    >
    Bernhard Wagner, Aug 3, 2005
    #4
  5. Re: solved? WPA2 with 802.1x - network startup too late

    A wireless sniffer would allow you to diagnose a performance problem with
    your equipment. A slow DHCP server is another common culprit.

    --
    Jerry Peterson
    Windows Network Services - Wireless

    This posting is provided "AS IS" with no warranties, and confers no rights.
    "Bernhard Wagner" <> wrote in message
    news:uXmAf5$...
    > Hi Jerry,
    >
    > thank you for your answer, I think the issue is solved, I flashed the
    > Linksys WGRT54GS to the new firmware revision 4.70.6 (even the readme says
    > nothing about changed wpa2 behavior) and computer startup authentication
    > works now, but it takes a long time (about 30 seconds "starting the
    > network" box)
    >
    > I feel that the whole WPA(2) Radius - computer startup machine
    > authentication story is extremly sensitive, in my opinion MS should work
    > on that - it's strange that only Cisco-Linksys APs really work in this
    > configuration and I don't believe it's only the problem of the firmware of
    > other manufacturers. What's yours or MS's experience with this todays
    > strongest form of authentication?
    >
    > Thank you, yours
    >
    > Bernhard W.
    >
    > "Jerry Peterson[MSFT]" <> schrieb im
    > Newsbeitrag news:%...
    >> Have you verified that machine authentication is completing prior to the
    >> Winlogon event? Machine authentication must complete for you to have
    >> connectivity before logon. If machine authentication is not completing,
    >> then use the IAS logs to determine if there was a logon failure. Next
    >> verify if the authentication failure is on the client side. This is most
    >> likely a problem with credentials as you may be missing the root
    >> certificate or machine certificate on the client.
    >>
    >> There are other aspects to investigate if everything checks out on level.
    >> Please reply back with results of the initial investigation.
    >>
    >> --
    >> Jerry Peterson
    >> Windows Network Services - Wireless
    >>
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights.
    >> "Bernhard Wagner" <> wrote in message
    >> news:...
    >>> Hi, I try to upgrade our XP Notebooks to WPA2 - currently they're
    >>> working at WPA with 802.1x Radius Authentication over the IAS Service
    >>> running on W2K3
    >>> Routers are Linksys WRT54GS with the newest firmware 4.50, supporting
    >>> WPA2 Enterprise
    >>>
    >>> The problems occur during computer startup: As Windows XP is starting
    >>> the network, it tries to authenticate with the computer account on the
    >>> DC - this works with WPA (1) in nearly 99% of all startups - so it's ok
    >>> for me. Interestingly, only Linksys and Cisco WAPs are REALLY capable to
    >>> support this, I've tried about 30 WAPs from others (Dlink, Netgear and
    >>> so on) - they're all crap...
    >>> So I am Linksys biased - well...
    >>>
    >>> BUT - changing to WPA2 is doesn't work, the network starts, wait's about
    >>> 30 seconds and times out, seeing that because no computer policies from
    >>> my group policy settings are applied. So there are 2 possibilities:
    >>>
    >>> 1) Linksys WPA2 Enterprise support doesn't work
    >>> 2) XP SP2 (yes, inkl. hotfix for WPA2 support) has a bug
    >>>
    >>> So - has anyone tried to run WPA2 with Radius Authentication and can
    >>> tell me that the network is REALLY started up so that Group Policy
    >>> applies before logon? With which HW?
    >>>
    >>> Thanx in adv.
    >>>
    >>> Bernhard
    >>>

    >>
    >>

    >
    >
    Jerry Peterson[MSFT], Aug 9, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Donchano

    Xtra's Damage Control - Too Little Too Late

    Donchano, Aug 24, 2007, in forum: NZ Computing
    Replies:
    38
    Views:
    1,129
    Jasen Betts
    Sep 3, 2007
  2. Knut Arvid Keilen

    Is it too early - or is it too late.

    Knut Arvid Keilen, Feb 25, 2008, in forum: Computer Support
    Replies:
    1
    Views:
    421
    dick blisters
    Feb 25, 2008
  3. smackedass

    from the "Too Little Too Late" folks

    smackedass, Jun 20, 2008, in forum: A+ Certification
    Replies:
    1
    Views:
    1,428
    smackedass
    Jun 20, 2008
  4. Obaid
    Replies:
    0
    Views:
    1,572
    Obaid
    Oct 19, 2009
  5. Obaid
    Replies:
    0
    Views:
    1,481
    Obaid
    Oct 19, 2009
Loading...

Share This Page