Roaming profiles not found over wirless but wired they are

Add a group policy entry as follows....

Computer Configuration\Administrative Templates\System\Logon
Always wait for the network at computer startup and logon

Enable it

Windows is currently controlling the wireless.  No other apps are (no Intel ones or anything).
I have 2 GPOs that apply to 2 different OUs.

OU1 has GPO1 - has the wait for network to start (since this was also my first thought)
OU2 has GPO2 - doesnt
The GPOs are identical except for that difference and they aren't linked to the same OU so no way to inherit one GPO or the other.

Computer accounts are in OU1 and OU2.  THanks for the replies, but this one isnt going to be that easy :D

Your problem is that your computer needs to authenticate to the network before you can apply group policy. This also pertains to roaming profiles. Is your wireless set up using 802.1x authentication with certificates? If not, you need to enable 802.1x authentication so when the wireless starts on the computer, it authenticates to the network.

We are using 802.1x authentication with certs.  After the user logs in (and does not get their roaming profile) they are connected to the SSID that requires a certificate.  I have also forced a user to connect to an open SSID with no authentication and they get their profile with no problem.

It sounds like I need to get my clients to connect to and get authenticated faster before it trys to grab their profile from the network, or get authenticated before they put in their username and password.  Thoughts?

Since you're using 802.1x, you need to get the computer account to authenticate to the network. What are you using for 802.1x, PEAP, TLS, etc? If you're using PEAP with Windows Radius server, create another policy on the IAS server for computer account authentication to look at Active Directory at the Domain Computers group. Make sure that you set the policies to be computer authentication OR user authentication not computer authentication AND user authentication.

I have added Machine Group " Domain Computers" to my Wireless policy on my NPS server.  I believe you are 100% correct with that.  I dont know how I missed that before!!!!!  I will test it in the morning and get back to the board.

Let me  know how you make out.

I added the Machine Group - Domain computers to the NPS Wireless Policy.  Now none of my wireless clients can get on at all.  I believe that now means that the laptops dont have a computer certificate.  True?  But looking at the Certs MMC under trusted root servers of the computer I see the cert on the laptop (I also see one for under user account)

Are you using IAS? Are your clients issued their own CERT or are they trusing the CERT of the IAS server?

I am using windows 2008's Network Policy Server (NPS) more or less the same as IAS.  The clients should be issued their own certs already.   That is why I am a little confused that adding the Domain Computers to the NPS policy made all my wireles clients fail to connect

Were the certs that were issued computer certs or user certs? That's probably why.

I think I have to deploy both right?  I need one for the computer to be able to authenticate prior to login, then one for the user to authenticate and pull what SSID they are supposed to use from the GPO.

Correct, if the computer doesn't authenticate to the network using it's certificate, then it doesn't pull an IP address. I've normally set up PEAP to only use one certificate, the one on the IAS Server. This works for two factor authentication because all you do on the client is provide the trusted root cert and you don't have to have a complete certificate environment.

I realize that my CA doesnt have any Workstation Cert Templates, I just made one.  

Does the Autoenrollment feature have to be deployed via the Default Domain Policy as this paper I am reading from MS says?  

What is the diff between the Computer and the Workstation CA template?

You can also create an own group policy to deploy the computer certificates via auto enrollment if you don't wish to have a certificate for each computer in the domain.
The difference beteween those templates is the computer certificate is for client- & server authentication purpose and workstation certificate is only for clientauthentication.

Note: If you wish to make the user profiles getting work, you need a certificate for the computer that a authentication against the domain can be established befor the user logs in

Yes, he is correct, you need to issue a computer certificate so that the computer can authenticate to the Radius server. You can automatically issue via auto enrollment in the domain policy. Or, if you're using PEAP, you just add the root certificate for the CA to the trusted root certificates in AD Group Policy and push it out to the workstations. This then only requires that the computer have a trusted root cert on it for the CA and you don't need to issue certificates to all the computers.

I think my certs are going out fine; however, my NPS server seems to want to stop them from connecting.

I have set up autoenrollment in the default domain policy.  I am using PEAP, and have it set to look for my root cert for my CA.  

I think for the most part everything is right.  I think that NPS is stopping the connections for some reason.  I do get a status bubble on some computers that says "Click here to process your loging" then a window in the top left of the screen that says "Click OK to process... or Cancel"

1. Check if you certificates are installed via autoenrollment
On a client: mmc -> Add snap-in -> certificates (local computer and user) -> Check if there are listed certicates under Personal

2. Check group memberships of your computer and user which are queried from the NPS Server

3. Important: Do you have enabled the NPS Server as wireless access server? I ask because i recently configured the NPS as i configured it with IAS Server but there are main.
Check out this: http://blogofanitadmin.blogspot.com/2008/12/radius-server-with-wpa2-in-2008.html

I think NPS works, because wireless clients can get on using the secure SSID.

In my NPS I have the two groups DOMAIN COMPUTERS and DOMAIN USERS.

I do have the NPS Set to do wireless access, but I dont think it was set up that way to begin with.  Only a policy on the Network Policy container, and users were able to get on.  I suspect that they were only able to get on because their User Cert was authenticating them after they logged in.  

How do I make the computer cert be used for the computer to log in first?

Thanks, I am going to try that.  I wont be able to test it until next week - so stay tuned!!!  

any updates?