Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


PEAP Machine Authentication is SLOW!!!

Posted on 2004-03-24
Medium Priority
Last Modified: 2013-12-09
Hi All,
I am attempting to implement 802.1x on the wireline and also wireless using PEAP. The problem that I am seeing between both wireline and wireless deployments is that machine authentication is very slow to be performed by Windows XP clients. The machine authentication does not even start until at least 30 seconds after the Windows login GINA is displayed. This is frustrating as the machine will not be provided an IP on the network until machine authentication passes. If the machine is not on the network with the user attempts to login then the login will be local, no DC will be contacted, and any login script that this user has will not run. I think you can see my dilema! :-)

I have tried seaching for a solution and I cannot find any postings on a successful PEAP machine/user authentication deployment either wireless OR wireline.

BTW. Native Windows XP requires a hotfix (KB826942) to get machine authentication to work. And as far as I can tell there is no way to get Windows 2000 to machine authenticate properly.

My setup is as follows:
Cisco ACS v3.2 as EAP RADIUS
Aironet 350 AP @ VxWorks 12.04 (for wireless)
Catalyst 6500 @ cat6000-sup2k8.7-6-3a.bin (for wireline)
Windows XP SP1 (with KB826942 hotfix)
Windows 2000 SP4 (cant get machine authentication to work but user authentication does)

Any thoughts? Thanks much!
Question by:wauger
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 10720373
I have the odd thought of doing a regestry  edit to delay the Windows login from showing up.  Mind you I don't know how to do it, but it should be doable.


Author Comment

ID: 10723900
Good Point. But I dont want to HAVE to go into machines and edit the registry if I dont have. Fact is this should work out the box. Thanks for the thought though.

Expert Comment

ID: 11007718

same problem we have. What with the login script ? It is always the same use VPN, 802.1x ...the connection to the DC isn't available at that moment (quite normal !!) and afterwards when the connection is up and running...the login script is well you know. Looked in the MS docs, web...but nothing about this.

Somebody else knows how to fix this ?



Author Comment

ID: 11009256
Ok, So we figured out what the problem is. Turns out that Windows 2000 DOES work properly when the machine is in an AD domain and not an NT domain. So that takes care of that problem.

The issue with XP client is that it just boots too darn fast! This was done by Microsoft by design, as one of the features of XP is faster boot cycles. Well you can turn that feature off - or rather enable the system to wait for network connections to completed BEFORE the system allows the user to login. This essentially fixes the problem of machine authentication completing BEFORE the user can login so that the machine is on the network and the interactive login then hits the DC.

Here is how you do it:

Go to C:\Widows\System32 directory and find the GPEdit.msc file. Double click it and it should open up an MMC to configure it.
Local Policy (GPEdit.msc)
Go to --> Computer Configuration --> Administrative templates --> System --> Logon --> Always wait for the network at computer startup

Define this policy as "Enabled" and reboot the client. You MUST REBOOT twice before it will take affect.

There you go. Good luck!

Accepted Solution

modulo earned 0 total points
ID: 11246766
PAQed, with points refunded (500)

Community Support Moderator

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today sees the launch of a new case study, focusing on BYOD technologies we have been working with for some time now.  But with the advent of 802.11ac wireless technologies and the story behind our landmark developments, we would like to share this …
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question