RE: 802.1x logon sripts and roaming profile not running
- From: ewallig <ewallig@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 4 Aug 2006 19:44:01 -0700
Hi,
Ran into this problem when deploying 802.1x on wired network. In my case, it
turned out that the sequence of events that occur during logon were running
too fast and network authentication was not actually occurring until after
logon (typical XP problem). While there are several group policy items that
can control this to an extent, some additional registry settings were
required to make it work consistently, especially over network segments that
had some latency.
After doing some research, I found these settings (sorry, can't find the
research at the moment - did it over a year ago). On the following registry
keys......
HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
HKLM\SOFTWARE\Policies\Microsoft\System
........create the following key value:
Value Name: GpNetworkStartPolicyTimeoutValue
Value Type: REG_DWORD
Value Data: 60 (this represents number of seconds)
These are not sub keys to the above keys but values on these keys (right
pane of regedit). A reboot of the client is necessary to put the changes into
effect. While I can't remember the exact function of these changes, they
relate to how long the client waits between authentication attempts if it
can't connect to AD. You also want to configure GP to wait for the network
(Computer Config/Admin Templates/System/Logon).
I'll try to find the docs that I got this information if you need them. I'd
also recommend that if your networking hardware supports it that you review
the docs on how to optimize the RADIUS authentication - one of my switches
were actually timing out due to latency on that segment - not enought time
for the authentication to take place.
Hope this helps...
"Tonyr63" wrote:
Hi.
I have exactly the same problem except running the Odyssey 802.1x client. I
was advised to apply the registry settings as per KB 840669
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/default.mspx
however the section on how to apply this setting accross all clients on the
network using group policies makes no sense as it appears to just repeat the
manual registry change process.
Since no one at Microsoft have responded to your query I can only presume
that 802.1x technology breaks logon script processing and group policy
application.
Regards
Tonyr
"Petri S" wrote:
We are testing 802.1x authentication in wireless and wired we have following
problem on both of them. Authentication works but logon scripts are not
running and roaming profile is not loading.
Authentication work this way:
1/ machine auth --> vlan x
2/ user auth --> vlan y
Problem seem to be that computer is trying to run scripts and load profile
before and during the change of VLAN.
I have tried following settings on group policy(but it is not working)
System/Logonhide
Policy Setting
Always wait for the network at computer startup and logon Enabled
System/Net Logonhide
Policy Setting
Expected dial-up delay on logon Enabled
Seconds: 60
System/Scriptshide
Policy Setting
Maximum wait time for Group Policy scripts Enabled
Seconds: 0
Range is 0 to 32000, use 0 for infinite wait time
Policy Setting
Run logon scripts synchronously Enabled
System/User Profileshide
Policy Setting
Do not detect slow network connections Disabled
Maximum retries to unload and update user profile Enabled
Max retries: 60
Policy Setting
Wait for remote user profile Enabled
--
Petri S
- Follow-Ups:
- RE: 802.1x logon sripts and roaming profile not running
- From: ewallig
- RE: 802.1x logon sripts and roaming profile not running
- Prev by Date: Re: Wireless policy and roaming issues
- Next by Date: RE: 802.1x logon sripts and roaming profile not running
- Previous by thread: Re: GP Software Install / Log File
- Next by thread: RE: 802.1x logon sripts and roaming profile not running
- Index(es):
Relevant Pages
|
