We help IT Professionals succeed at work.

PEAP Machine Authentication is SLOW!!!

wauger
wauger asked
on
Medium Priority
6,956 Views
Last Modified: 2013-12-09
Hi All,
I am attempting to implement 802.1x on the wireline and also wireless using PEAP. The problem that I am seeing between both wireline and wireless deployments is that machine authentication is very slow to be performed by Windows XP clients. The machine authentication does not even start until at least 30 seconds after the Windows login GINA is displayed. This is frustrating as the machine will not be provided an IP on the network until machine authentication passes. If the machine is not on the network with the user attempts to login then the login will be local, no DC will be contacted, and any login script that this user has will not run. I think you can see my dilema! :-)

I have tried seaching for a solution and I cannot find any postings on a successful PEAP machine/user authentication deployment either wireless OR wireline.

BTW. Native Windows XP requires a hotfix (KB826942) to get machine authentication to work. And as far as I can tell there is no way to get Windows 2000 to machine authenticate properly.

My setup is as follows:
Cisco ACS v3.2 as EAP RADIUS
Aironet 350 AP @ VxWorks 12.04 (for wireless)
Catalyst 6500 @ cat6000-sup2k8.7-6-3a.bin (for wireline)
Windows XP SP1 (with KB826942 hotfix)
Windows 2000 SP4 (cant get machine authentication to work but user authentication does)

Any thoughts? Thanks much!
Comment
Watch Question

Commented:
I have the odd thought of doing a regestry  edit to delay the Windows login from showing up.  Mind you I don't know how to do it, but it should be doable.

Quash!

Author

Commented:
Good Point. But I dont want to HAVE to go into machines and edit the registry if I dont have. Fact is this should work out the box. Thanks for the thought though.
Hi,

same problem we have. What with the login script ? It is always the same use VPN, 802.1x ...the connection to the DC isn't available at that moment (quite normal !!) and afterwards when the connection is up and running...the login script is well you know. Looked in the MS docs, web...but nothing about this.

Somebody else knows how to fix this ?

Thanks

Geert

Author

Commented:
Ok, So we figured out what the problem is. Turns out that Windows 2000 DOES work properly when the machine is in an AD domain and not an NT domain. So that takes care of that problem.

The issue with XP client is that it just boots too darn fast! This was done by Microsoft by design, as one of the features of XP is faster boot cycles. Well you can turn that feature off - or rather enable the system to wait for network connections to completed BEFORE the system allows the user to login. This essentially fixes the problem of machine authentication completing BEFORE the user can login so that the machine is on the network and the interactive login then hits the DC.

Here is how you do it:

Go to C:\Widows\System32 directory and find the GPEdit.msc file. Double click it and it should open up an MMC to configure it.
Local Policy (GPEdit.msc)
Go to --> Computer Configuration --> Administrative templates --> System --> Logon --> Always wait for the network at computer startup

Define this policy as "Enabled" and reboot the client. You MUST REBOOT twice before it will take affect.

There you go. Good luck!
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.