We have started using a group policy for user AD authentication on our loaner laptops, here are the instructions sent to the desktop folks:
Click Start In the search box type group policy Press ENTER Open the following folder: Computer Configuration > Administrative Templates > System > Logon Double click on the Always wait for the network at computer startup and logon setting Click the radio button to Enabled Click OK and Exit Local Group Policy Editor Restart the machine, disconnect from the wired network and verify the logon process works for a new user We use user authentication only, so there may be a change for you. Test it, let me know if it works in your environment as well. Thanks. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of John Kaftan Sent: Monday, February 10, 2014 3:58 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Strange 802.1x behavior with single signon I tried that and got the same results. I am able to get a packet capture of the traffic just before it hits the radio and can see that the arp replies are making it that far. So I believe they are getting "on-the-air" to get back to my client. I have found that if I have logged on the machine successfully before I get on the desktop. If I have not logged onto the machine before I get "No logon servers found". I installed Wireshark on one of the machines and was able to get on the desktop and run Wireshark while this is happening and I do not see any packets reaching the machine via the wireless NIC. However, if I disconnect and reconnect from the wireless network it starts working immediately. I am not sure about the ins and outs of what is going on with 802.1x and Enterprise WPA2 but I believe the encryption key comes from a combination of the username and password if you are not using certificates. I am wondering if my issue is that the client or the wireless controller is not re-keying the encryption when the user changes from computer to user. If that was the case the AP would be sending the encryption using one key and client would be deciphering using another key thus the traffic would never hit the stack. On Sat, Feb 8, 2014 at 1:06 PM, Tim Cappalli <[email protected]<mailto:[email protected]>> wrote: Do you have this issue if you leave computer and user but uncheck Single Sign On? As far as I know, Single Sign-on is an alternative to machine authentication. I don't think it is designed to be used with it. By default, Windows will switch to user authentication at the desktop. Single sign allows the users credentials to be used to authenticate and contact AD vs machine auth which uses the computers account to contact AD. Tim Tim Cappalli | ACCP / ACMP / CCNA Wireless Engineer | Brandeis University [email protected]<mailto:[email protected]> | (617) 701-7149<tel:%28617%29%20701-7149> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]<mailto:[email protected]>] On Behalf Of John Kaftan Sent: Friday, February 7, 2014 4:05 PM To: [email protected]<mailto:[email protected]> Subject: [WIRELESS-LAN] Strange 802.1x behavior with single signon We have a number of laptops that are mobile labs (Tanks) and in the library for students to check out. We push the 802.1x settings via AD and it works very well. The problem we have run into is that when we have login set to 'user or computer' and check single sign-on it comes up and logs into the network using the computer name just fine. But then when the user logs in it immediately authenticates 802.1x as the user and then proceeds to churn until ultimately failing with "No logon servers found". The strangest thing about this is that packet captures reveal that while the machine is churning it is sending out ARPs for its gateway. The gateway replies but the client ignores it. It does this 30-40 times before giving up. If the user has logged onto the machine before they will get on with cached credentials and they will be fine, other than being grumpy over how long it takes to get on. If they have never logged on before they will get the dreaded "No logon servers found" Doing a 'ARP -a' at the command line reveals the gateway address is listed and the machine is able to browse just fine. I don't think this is a wireless\policy issue as I set up the client to get our IT_Admins profile no matter what and also after the client finally stops asking for the gateway's mac address everything is fine. Our work around is to just set it to Computer authentication only. This is a bummer because we lose visibility as well as the ability to apply user based profiles. -- John Kaftan IT Infrastructure Manager Utica College ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/<https://urldefense.proofpoint.com/v1/url?u=http://www.educause.edu/groups/&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=eHsexY0U6WY24UhDK4eLQbvXOPzMySRoCq87DX3WV5M%3D%0A&m=6blysuyflYhF6vIa3CbBaLOLg%2BsdpuXAn%2FspRSfV9YM%3D%0A&s=17c205f10fb225a417e9ad76226105466dee03aad6809d8d53f9003667099951>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/<https://urldefense.proofpoint.com/v1/url?u=http://www.educause.edu/groups/&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=eHsexY0U6WY24UhDK4eLQbvXOPzMySRoCq87DX3WV5M%3D%0A&m=6blysuyflYhF6vIa3CbBaLOLg%2BsdpuXAn%2FspRSfV9YM%3D%0A&s=17c205f10fb225a417e9ad76226105466dee03aad6809d8d53f9003667099951>. -- John Kaftan IT Infrastructure Manager Utica College ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
