Wireless and Windows roaming profiles

Discussion in 'Wireless Networking' started by Guest, Feb 3, 2005.

  1. Guest

    Guest Guest

    I've set up a secure wireless infrastructure on SBS2000, it's small and I
    test it on one ACER TM803LMi (with the Intel 2100 built-in). It works with
    certificates etc. When I disconnect the cable and restart the PC, then the
    user apparently gets logged on with its cached credentials and then the wifi
    comes up. There was a warning (cannot find your roaming profile) also. So the
    end result is connectivity but no use of the roaming profile and also the
    user's netlogon script (net use etc) was not executed.
    Can wireless connection be combined with roaming profiles?

    Thanks, Ivo
     
    Guest, Feb 3, 2005
    #1
    1. Advertisements

  2. Guest

    Mark Gamache Guest

    Ivo,

    This is partly reliant on your hardware and partly on your remote access
    policy and group membership. Not all wireless hardware will associate to
    the AP and authenticate without a user logged in. Most will retain the
    settings of the last user. Assuming that your hardware supports it, you
    need the computer to be able to log in using its machine account. This
    means that the computer accounts need to be a member of the wireless group
    that you are adding your users too. If you are using certificates for TLS,
    then you will need to make sure the computers have machine certificates.

    Once you do this, the computer will authenticate to the AP when it boots.
    This will allow for your users to log into the domain instead of using their
    cached creds.

    Cheers,
     
    Mark Gamache, Feb 3, 2005
    #2
    1. Advertisements

  3. Guest

    Guest Guest

    Thank you. It's good to know that it should work ;-)

    I've read some more articles on this as well as your explanation, and the
    problem may be related to an outdated driver on my Acer TM803LMi, it has the
    Intel 2100 (b-mode) built-in. I will update the driver tomorrow, the computer
    account is part of the wirelless group, and the machine certificate is on the
    client computer OK.
    The outdated driver doesn't show the WPA option in the network
    authentication drop down box...

    Thank you very much for your reply,
    Ivo
     
    Guest, Feb 3, 2005
    #3
  4. Guest

    Guest Guest

    Hello Mark,

    I've upgraded to the latest available Intel 2100b driver found on the Acer
    TM803LMi support site. Afterwards I could choose WPA/TKIP in my WXPSP2
    notebook and I changed the settings on the Linksys WAP54G accordingly. When
    the notebook is restarted (disconnected from the wired network), I'm
    presented with the logon dialogue and then (after OK) it takes some time, but
    unfortunately the message about not being able to reach the roaming profile
    reappears. And once logged on, the drive letters to network shares are not
    available (I do NET USE to get the list, it's empty). When I then
    logoff/logon, the situation is different. THis time it takes the roaming
    profile and NET USE shows the drive letters my user likes. But the letters
    still do not appear in his Windows Explorer / My Computer, this takes extra
    time, but eventually they become available with no extra actions.

    Still some questions about this:
    - is this the best result I can obtain or can we do better?
    - would it work with the roaming profile also after a notebook restart (i.e
    on the first logon)
    - would there be a sign indicating that the computer connected OK to the
    domain, or how does the user know how long to wait before clicking OK on the
    logon dialog.

    Suggestions on how to proceed are very much ppreciated, thanks in advance,
    Ivo
     
    Guest, Feb 7, 2005
    #4
  5. Guest

    Mark Gamache Guest

    Based on your description, I am sure you are not passing 802.1X
    authentication until after the user is logged in. If these laptops are
    going to always be wireless, you will have to resolve the issue. If its not
    resolved, your machine group policy won't work and various things such as
    mapped drives and password expiration warnings will not be generated.

    The first place to start is your IAS logs. Boot the laptop but don't login.
    Check your IAS logs to see if the computer account is trying to connect. I
    use this app to look at the logs. Its free to try.
    http://www.deepsoftware.ru/iasviewer/ It makes them much easier to read.

    If the laptop doesn't even try to connect (there are no logs of it
    attempting to auth. to the IAS server) then its likely that your Intel NIC
    or the app running it is not allowing it to associate to the AP until
    someone is logged in. This is unlikely as the Intel 2100 should work
    correctly. If the logs show an attempted connect that fails, then you
    simply verify why it is failing. The logs are likely to answer that
    question for you.

    I suspect the logs will tell you exactly what is going on. Its likely that
    not remote access policies apply to the computer's security context.
    Remember, the computer has an account in the domain that it uses to
    automatically log its self in to the domain with. This account needs to
    have the appropriate group membership etc to pass your remote access policy.

    Cheers,
     
    Mark Gamache, Feb 7, 2005
    #5
  6. Guest

    Guest Guest

    You were right about not passing 802.1X authentication based on host
    verification. I looked into the IAS log and the computer account is not
    trying to connect. In the properties of the wireless connection, there's the
    Verification (i have it here in Dutch language so the english wording may be
    not exactly as my translation) tab and there's IEEE 802.1X verification is
    enabled, EAP type is smartcard or other certificate and the check box "verify
    as computer when computer information is available" is selected all right.
    But there's nothing in the IAS log about the computer trying to connect...

    So I'm afraid this is the unlikely option in your diagnosis...
    Thanks for your assistance, where do we go from here?

    Ivo

    P.S. I've tried to run tests with another notebook at home against a SBS2003
    installation but ran into a certification problem, so I'll start a new thread
    for that one.
     
    Guest, Feb 10, 2005
    #6
  7. Guest

    Mark Gamache Guest

    Are you using smartcards or software certificates? How are the machine
    certificates provisioned? I skimmed back through your posts and didn't see
    any reference to the machine certs. You have to have them.
     
    Mark Gamache, Feb 11, 2005
    #7
  8. Guest

    Guest Guest

    I understand your remarkts. I'm using software certificates, this PC has both
    user and computer certificates all right. I'll double check it when I get to
    that PC. The machine certificates were provisioned through manual
    certificates, which was successful. I followed the procedures as in hte
    Windows SBS 2003 Administrator's Companion (MS Press book).

    Thanks again, Ivo
     
    Guest, Feb 11, 2005
    #8
  9. Guest

    Guest Guest

    In the meanwhile I have it working nicely at another site. That's SBS2003,
    with EAP-TLS and machine connects and then the logon dialogue and after logon
    the user connects. Same equipment: Linksys WAP54G and Intel 2100 chip on the
    client notebook.

    At the site with the problem described in the thread, it's SBS2000, I think
    I made everybody believe it was SBS2003 so far... Anyway, on this
    installation we still have to hope for the better, at the moment user connect
    is OK but no preceding machine connect, nothing is entering the IAS. O how I
    would love to solve this issue...

    Regards, Ivo
     
    Guest, Feb 21, 2005
    #9
  10. Guest

    Mark Gamache Guest

    I reread the thread and am not sure, so I'll ask. Were you able to
    provision a machine certificate on the laptop?

    Does your AP have any logging features that may give EAP related info and
    association info? Before the AP sends you laptops EAP-TLS to the IAS
    server, the wireless client must associate. Then the AP sends and
    EAP-Request-Identity, which I'm sure this is working if you are getting on
    with user certs. You laptop should send and EAP-Response-Identity. The
    response is based on the setup of your wireless auth tab. It would help to
    know if your PC is association and if it is seeing and responding to the EAP
    messages. Only when this works does your IAS server get to see traffic.

    Cheers,
     
    Mark Gamache, Feb 22, 2005
    #10
  11. Guest

    Guest Guest

    I managed to provision a machine certificate on the user's laptop, some weeks
    ago. Yesterday I went there with my notebok but alas, there was the MMC
    certificate request problem (on my notebook only). So the answer to your
    question is: yes.
    I will look into your protocol sequence in more detail, but this certainly
    happens after the user logs on.
    Thanks for your good advice, next time when I am on the W2K SBS site, I will
    try to make some progress in finding out what's really wrong???
    Thanks again, Ivo
     
    Guest, Feb 22, 2005
    #11
  12. Guest

    Guest Guest

    I have reinstalled the notebook and the problem with requesting certificates
    went awas... Now it seems I'm back at the machine authentication. I actually
    set some EAPOL registry key called Authmode to 2, thereby forcing machine
    authentication only.
    Remember I had user authentication working ok, machine authentication not.

    When I change this registry key to 2, the wireless notebook shows
    "validating identity" and this goes on forever. No reject/accept messages in
    the IAS log, nothing in the IAS system event log. The AP is Linksys WAP54G
    and has almost no logging feauture. THe IAS is a service of the SBS 2003
    does-it-all server. I have requested user and machine certificates.

    Are you still there?
    Thanks,
    Ivo
     
    Guest, Apr 12, 2005
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.