Improve company productivity with a Business Account.Sign Up


PEAP Machine Authentication is SLOW!!!

Posted on 2004-03-24
Medium Priority
Last Modified: 2013-12-09
Hi All,
I am attempting to implement 802.1x on the wireline and also wireless using PEAP. The problem that I am seeing between both wireline and wireless deployments is that machine authentication is very slow to be performed by Windows XP clients. The machine authentication does not even start until at least 30 seconds after the Windows login GINA is displayed. This is frustrating as the machine will not be provided an IP on the network until machine authentication passes. If the machine is not on the network with the user attempts to login then the login will be local, no DC will be contacted, and any login script that this user has will not run. I think you can see my dilema! :-)

I have tried seaching for a solution and I cannot find any postings on a successful PEAP machine/user authentication deployment either wireless OR wireline.

BTW. Native Windows XP requires a hotfix (KB826942) to get machine authentication to work. And as far as I can tell there is no way to get Windows 2000 to machine authenticate properly.

My setup is as follows:
Cisco ACS v3.2 as EAP RADIUS
Aironet 350 AP @ VxWorks 12.04 (for wireless)
Catalyst 6500 @ cat6000-sup2k8.7-6-3a.bin (for wireline)
Windows XP SP1 (with KB826942 hotfix)
Windows 2000 SP4 (cant get machine authentication to work but user authentication does)

Any thoughts? Thanks much!
Question by:wauger

Expert Comment

ID: 10720373
I have the odd thought of doing a regestry  edit to delay the Windows login from showing up.  Mind you I don't know how to do it, but it should be doable.


Author Comment

ID: 10723900
Good Point. But I dont want to HAVE to go into machines and edit the registry if I dont have. Fact is this should work out the box. Thanks for the thought though.

Expert Comment

ID: 11007718

same problem we have. What with the login script ? It is always the same use VPN, 802.1x ...the connection to the DC isn't available at that moment (quite normal !!) and afterwards when the connection is up and running...the login script is well you know. Looked in the MS docs, web...but nothing about this.

Somebody else knows how to fix this ?



Author Comment

ID: 11009256
Ok, So we figured out what the problem is. Turns out that Windows 2000 DOES work properly when the machine is in an AD domain and not an NT domain. So that takes care of that problem.

The issue with XP client is that it just boots too darn fast! This was done by Microsoft by design, as one of the features of XP is faster boot cycles. Well you can turn that feature off - or rather enable the system to wait for network connections to completed BEFORE the system allows the user to login. This essentially fixes the problem of machine authentication completing BEFORE the user can login so that the machine is on the network and the interactive login then hits the DC.

Here is how you do it:

Go to C:\Widows\System32 directory and find the GPEdit.msc file. Double click it and it should open up an MMC to configure it.
Local Policy (GPEdit.msc)
Go to --> Computer Configuration --> Administrative templates --> System --> Logon --> Always wait for the network at computer startup

Define this policy as "Enabled" and reboot the client. You MUST REBOOT twice before it will take affect.

There you go. Good luck!

Accepted Solution

modulo earned 0 total points
ID: 11246766
PAQed, with points refunded (500)

Community Support Moderator

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question