Group Policy and PEAP

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Kevin Lancaster (m0ahn_at_hotmail.com)
Date: 06/24/04 

Date: Thu, 24 Jun 2004 09:05:53 +0100

I quote from the "Microsoft Windows Small Business Server 2003
Administrators Companion" book:-

"Although PEAP provides great wireless security and is easier to implement
than EAP-TLS authentication, there are two significant drawbacks. The first
is that you won't be able to remotely administer wireless clients unless
someone's logged on. The second is that Group Policy Computer Configuration
won't work."

Based on my own experience of using PEAP based wireless networks, I would
disagree with both of the above statements.

1. When a computer on the network starts up, the computer account
authenticates. This is confirmed by the following;
i) An event appears in the event log stating that the computer account has
authenticated
ii) I can access the computer via Computer Management from the server
iii) There is an option in the configuration that states to "Authenticate as
computer when computer information is available"
iv) When a user logs on, another event occurs stating the user has been
given access. When the user logs off, the computer again authenticates.
v) The computer account is denied access unless Dial-In access is granted
according to the Remote Access Policy.

2. I can only assume the statement about Group Policy Computer Configuration
not working is because of the first point that, according to the book, the
computer does not have network access until a user logs on. Thus, no access,
how can Group Policy be applied?

I am surprised to read this because without the computer obtaining network
access the whole process of domain access, DNS registration, roaming
profiles etc will not work unless network access is obtained prior to logon.

These statements are based on experience gained from using Cisco Aironet
Access Points, Windows 2003 Small Business Server, Both Verisign and
Microsoft Certificates and Windows XP Desktops using the WZC service.

Can anyone shed some light on this?

Kevin

Relevant Pages

  • Client side default authentication settings
    ... If you then open up the wireless network ... you change the EAP type to Protected EAP and hit ok, ... authenticates and it works just fine. ...
    (microsoft.public.internet.radius)
  • Re: Small Business Network Trouble!
    ... small business server or something but I hope someone can help. ... with a new router modem that had wireless (being the only one in the ... the network was running off a D-Link 4 port router ... as only the 2 computers running small business server were plugged into ...
    (microsoft.public.windows.server.sbs)
  • Re: Small Business Network Trouble!
    ... "The network consists of 4 computers, 2 run on small business server" ... My boss asked me to change the D-Link router modem to one with wireless ...
    (microsoft.public.windows.server.sbs)
  • Re: Client side default authentication settings
    ... If you then open up the wireless network ... authenticates and it works just fine. ... high and low for a place in IAS and Group Policy where it might be set ...
    (microsoft.public.internet.radius)
  • Re: Group Policy and PEAP
    ... When a computer on the network starts up, ... When the user logs off, the computer again authenticates. ... I can only assume the statement about Group Policy Computer ...
    (microsoft.public.internet.radius)