Solved

PEAP Machine Authentication is SLOW!!!

Posted on 2004-03-24
6
6,851 Views
Last Modified: 2013-12-09
Hi All,
I am attempting to implement 802.1x on the wireline and also wireless using PEAP. The problem that I am seeing between both wireline and wireless deployments is that machine authentication is very slow to be performed by Windows XP clients. The machine authentication does not even start until at least 30 seconds after the Windows login GINA is displayed. This is frustrating as the machine will not be provided an IP on the network until machine authentication passes. If the machine is not on the network with the user attempts to login then the login will be local, no DC will be contacted, and any login script that this user has will not run. I think you can see my dilema! :-)

I have tried seaching for a solution and I cannot find any postings on a successful PEAP machine/user authentication deployment either wireless OR wireline.

BTW. Native Windows XP requires a hotfix (KB826942) to get machine authentication to work. And as far as I can tell there is no way to get Windows 2000 to machine authenticate properly.

My setup is as follows:
Cisco ACS v3.2 as EAP RADIUS
Aironet 350 AP @ VxWorks 12.04 (for wireless)
Catalyst 6500 @ cat6000-sup2k8.7-6-3a.bin (for wireline)
Windows XP SP1 (with KB826942 hotfix)
Windows 2000 SP4 (cant get machine authentication to work but user authentication does)

Any thoughts? Thanks much!
0
Comment
Question by:wauger
6 Comments
 
LVL 4

Expert Comment

by:Quash
ID: 10720373
I have the odd thought of doing a regestry  edit to delay the Windows login from showing up.  Mind you I don't know how to do it, but it should be doable.

Quash!
0
 

Author Comment

by:wauger
ID: 10723900
Good Point. But I dont want to HAVE to go into machines and edit the registry if I dont have. Fact is this should work out the box. Thanks for the thought though.
0
 

Expert Comment

by:Geert7831
ID: 11007718
Hi,

same problem we have. What with the login script ? It is always the same use VPN, 802.1x ...the connection to the DC isn't available at that moment (quite normal !!) and afterwards when the connection is up and running...the login script is well you know. Looked in the MS docs, web...but nothing about this.

Somebody else knows how to fix this ?

Thanks

Geert
0
 

Author Comment

by:wauger
ID: 11009256
Ok, So we figured out what the problem is. Turns out that Windows 2000 DOES work properly when the machine is in an AD domain and not an NT domain. So that takes care of that problem.

The issue with XP client is that it just boots too darn fast! This was done by Microsoft by design, as one of the features of XP is faster boot cycles. Well you can turn that feature off - or rather enable the system to wait for network connections to completed BEFORE the system allows the user to login. This essentially fixes the problem of machine authentication completing BEFORE the user can login so that the machine is on the network and the interactive login then hits the DC.

Here is how you do it:

Go to C:\Widows\System32 directory and find the GPEdit.msc file. Double click it and it should open up an MMC to configure it.
Local Policy (GPEdit.msc)
Go to --> Computer Configuration --> Administrative templates --> System --> Logon --> Always wait for the network at computer startup

Define this policy as "Enabled" and reboot the client. You MUST REBOOT twice before it will take affect.

There you go. Good luck!
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 11246766
PAQed, with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Join & Write a Comment

Suggested Solutions

Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now