PEAP Machine Authentication is SLOW!!!
Posted on 2004-03-24
I am attempting to implement 802.1x on the wireline and also wireless using PEAP. The problem that I am seeing between both wireline and wireless deployments is that machine authentication is very slow to be performed by Windows XP clients. The machine authentication does not even start until at least 30 seconds after the Windows login GINA is displayed. This is frustrating as the machine will not be provided an IP on the network until machine authentication passes. If the machine is not on the network with the user attempts to login then the login will be local, no DC will be contacted, and any login script that this user has will not run. I think you can see my dilema! :-)
I have tried seaching for a solution and I cannot find any postings on a successful PEAP machine/user authentication deployment either wireless OR wireline.
BTW. Native Windows XP requires a hotfix (KB826942) to get machine authentication to work. And as far as I can tell there is no way to get Windows 2000 to machine authenticate properly.
My setup is as follows:
Cisco ACS v3.2 as EAP RADIUS
Aironet 350 AP @ VxWorks 12.04 (for wireless)
Catalyst 6500 @ cat6000-sup2k8.7-6-3a.bin (for wireline)
Windows XP SP1 (with KB826942 hotfix)
Windows 2000 SP4 (cant get machine authentication to work but user authentication does)
Any thoughts? Thanks much!