Solved

PEAP Machine Authentication is SLOW!!!

Posted on 2004-03-24
6
6,866 Views
Last Modified: 2013-12-09
Hi All,
I am attempting to implement 802.1x on the wireline and also wireless using PEAP. The problem that I am seeing between both wireline and wireless deployments is that machine authentication is very slow to be performed by Windows XP clients. The machine authentication does not even start until at least 30 seconds after the Windows login GINA is displayed. This is frustrating as the machine will not be provided an IP on the network until machine authentication passes. If the machine is not on the network with the user attempts to login then the login will be local, no DC will be contacted, and any login script that this user has will not run. I think you can see my dilema! :-)

I have tried seaching for a solution and I cannot find any postings on a successful PEAP machine/user authentication deployment either wireless OR wireline.

BTW. Native Windows XP requires a hotfix (KB826942) to get machine authentication to work. And as far as I can tell there is no way to get Windows 2000 to machine authenticate properly.

My setup is as follows:
Cisco ACS v3.2 as EAP RADIUS
Aironet 350 AP @ VxWorks 12.04 (for wireless)
Catalyst 6500 @ cat6000-sup2k8.7-6-3a.bin (for wireline)
Windows XP SP1 (with KB826942 hotfix)
Windows 2000 SP4 (cant get machine authentication to work but user authentication does)

Any thoughts? Thanks much!
0
Comment
Question by:wauger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 4

Expert Comment

by:Quash
ID: 10720373
I have the odd thought of doing a regestry  edit to delay the Windows login from showing up.  Mind you I don't know how to do it, but it should be doable.

Quash!
0
 

Author Comment

by:wauger
ID: 10723900
Good Point. But I dont want to HAVE to go into machines and edit the registry if I dont have. Fact is this should work out the box. Thanks for the thought though.
0
 

Expert Comment

by:Geert7831
ID: 11007718
Hi,

same problem we have. What with the login script ? It is always the same use VPN, 802.1x ...the connection to the DC isn't available at that moment (quite normal !!) and afterwards when the connection is up and running...the login script is well you know. Looked in the MS docs, web...but nothing about this.

Somebody else knows how to fix this ?

Thanks

Geert
0
 

Author Comment

by:wauger
ID: 11009256
Ok, So we figured out what the problem is. Turns out that Windows 2000 DOES work properly when the machine is in an AD domain and not an NT domain. So that takes care of that problem.

The issue with XP client is that it just boots too darn fast! This was done by Microsoft by design, as one of the features of XP is faster boot cycles. Well you can turn that feature off - or rather enable the system to wait for network connections to completed BEFORE the system allows the user to login. This essentially fixes the problem of machine authentication completing BEFORE the user can login so that the machine is on the network and the interactive login then hits the DC.

Here is how you do it:

Go to C:\Widows\System32 directory and find the GPEdit.msc file. Double click it and it should open up an MMC to configure it.
Local Policy (GPEdit.msc)
Go to --> Computer Configuration --> Administrative templates --> System --> Logon --> Always wait for the network at computer startup

Define this policy as "Enabled" and reboot the client. You MUST REBOOT twice before it will take affect.

There you go. Good luck!
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 11246766
PAQed, with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Coaxial cable bending There are several factors that govern the selection of coaxial cable for your Machine to Machine (M2M) application: the location of cable runs, either indoor or outdoor, inside or outside an enclosure, maximum bending and the…
For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question