Sign in with
Sign up | Sign in
Your question

Wireless and Windows roaming profiles

Last response: in Wireless Networking
Share
February 3, 2005 4:33:05 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

I've set up a secure wireless infrastructure on SBS2000, it's small and I
test it on one ACER TM803LMi (with the Intel 2100 built-in). It works with
certificates etc. When I disconnect the cable and restart the PC, then the
user apparently gets logged on with its cached credentials and then the wifi
comes up. There was a warning (cannot find your roaming profile) also. So the
end result is connectivity but no use of the roaming profile and also the
user's netlogon script (net use etc) was not executed.
Can wireless connection be combined with roaming profiles?

Thanks, Ivo
Anonymous
a b F Wireless
February 3, 2005 4:46:27 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Ivo,

This is partly reliant on your hardware and partly on your remote access
policy and group membership. Not all wireless hardware will associate to
the AP and authenticate without a user logged in. Most will retain the
settings of the last user. Assuming that your hardware supports it, you
need the computer to be able to log in using its machine account. This
means that the computer accounts need to be a member of the wireless group
that you are adding your users too. If you are using certificates for TLS,
then you will need to make sure the computers have machine certificates.

Once you do this, the computer will authenticate to the AP when it boots.
This will allow for your users to log into the domain instead of using their
cached creds.

Cheers,


--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Ivo" <Ivo@discussions.microsoft.com> wrote in message
news:EDB2DF53-DFFF-4BEB-85B4-17B1AA4A9158@microsoft.com...
> I've set up a secure wireless infrastructure on SBS2000, it's small and I
> test it on one ACER TM803LMi (with the Intel 2100 built-in). It works
> with
> certificates etc. When I disconnect the cable and restart the PC, then the
> user apparently gets logged on with its cached credentials and then the
> wifi
> comes up. There was a warning (cannot find your roaming profile) also. So
> the
> end result is connectivity but no use of the roaming profile and also the
> user's netlogon script (net use etc) was not executed.
> Can wireless connection be combined with roaming profiles?
>
> Thanks, Ivo
February 3, 2005 6:35:02 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Thank you. It's good to know that it should work ;-)

I've read some more articles on this as well as your explanation, and the
problem may be related to an outdated driver on my Acer TM803LMi, it has the
Intel 2100 (b-mode) built-in. I will update the driver tomorrow, the computer
account is part of the wirelless group, and the machine certificate is on the
client computer OK.
The outdated driver doesn't show the WPA option in the network
authentication drop down box...

Thank you very much for your reply,
Ivo

"Mark Gamache" wrote:

> Ivo,
>
> This is partly reliant on your hardware and partly on your remote access
> policy and group membership. Not all wireless hardware will associate to
> the AP and authenticate without a user logged in. Most will retain the
> settings of the last user. Assuming that your hardware supports it, you
> need the computer to be able to log in using its machine account. This
> means that the computer accounts need to be a member of the wireless group
> that you are adding your users too. If you are using certificates for TLS,
> then you will need to make sure the computers have machine certificates.
>
> Once you do this, the computer will authenticate to the AP when it boots.
> This will allow for your users to log into the domain instead of using their
> cached creds.
>
> Cheers,
>
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com
>
>
>
> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> news:EDB2DF53-DFFF-4BEB-85B4-17B1AA4A9158@microsoft.com...
> > I've set up a secure wireless infrastructure on SBS2000, it's small and I
> > test it on one ACER TM803LMi (with the Intel 2100 built-in). It works
> > with
> > certificates etc. When I disconnect the cable and restart the PC, then the
> > user apparently gets logged on with its cached credentials and then the
> > wifi
> > comes up. There was a warning (cannot find your roaming profile) also. So
> > the
> > end result is connectivity but no use of the roaming profile and also the
> > user's netlogon script (net use etc) was not executed.
> > Can wireless connection be combined with roaming profiles?
> >
> > Thanks, Ivo
>
>
>
Related resources
February 7, 2005 4:29:06 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Hello Mark,

I've upgraded to the latest available Intel 2100b driver found on the Acer
TM803LMi support site. Afterwards I could choose WPA/TKIP in my WXPSP2
notebook and I changed the settings on the Linksys WAP54G accordingly. When
the notebook is restarted (disconnected from the wired network), I'm
presented with the logon dialogue and then (after OK) it takes some time, but
unfortunately the message about not being able to reach the roaming profile
reappears. And once logged on, the drive letters to network shares are not
available (I do NET USE to get the list, it's empty). When I then
logoff/logon, the situation is different. THis time it takes the roaming
profile and NET USE shows the drive letters my user likes. But the letters
still do not appear in his Windows Explorer / My Computer, this takes extra
time, but eventually they become available with no extra actions.

Still some questions about this:
- is this the best result I can obtain or can we do better?
- would it work with the roaming profile also after a notebook restart (i.e
on the first logon)
- would there be a sign indicating that the computer connected OK to the
domain, or how does the user know how long to wait before clicking OK on the
logon dialog.

Suggestions on how to proceed are very much ppreciated, thanks in advance,
Ivo

"Mark Gamache" wrote:

> Ivo,
>
> This is partly reliant on your hardware and partly on your remote access
> policy and group membership. Not all wireless hardware will associate to
> the AP and authenticate without a user logged in. Most will retain the
> settings of the last user. Assuming that your hardware supports it, you
> need the computer to be able to log in using its machine account. This
> means that the computer accounts need to be a member of the wireless group
> that you are adding your users too. If you are using certificates for TLS,
> then you will need to make sure the computers have machine certificates.
>
> Once you do this, the computer will authenticate to the AP when it boots.
> This will allow for your users to log into the domain instead of using their
> cached creds.
>
> Cheers,
>
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com
>
>
>
> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> news:EDB2DF53-DFFF-4BEB-85B4-17B1AA4A9158@microsoft.com...
> > I've set up a secure wireless infrastructure on SBS2000, it's small and I
> > test it on one ACER TM803LMi (with the Intel 2100 built-in). It works
> > with
> > certificates etc. When I disconnect the cable and restart the PC, then the
> > user apparently gets logged on with its cached credentials and then the
> > wifi
> > comes up. There was a warning (cannot find your roaming profile) also. So
> > the
> > end result is connectivity but no use of the roaming profile and also the
> > user's netlogon script (net use etc) was not executed.
> > Can wireless connection be combined with roaming profiles?
> >
> > Thanks, Ivo
>
>
>
Anonymous
a b F Wireless
February 7, 2005 4:54:46 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Based on your description, I am sure you are not passing 802.1X
authentication until after the user is logged in. If these laptops are
going to always be wireless, you will have to resolve the issue. If its not
resolved, your machine group policy won't work and various things such as
mapped drives and password expiration warnings will not be generated.

The first place to start is your IAS logs. Boot the laptop but don't login.
Check your IAS logs to see if the computer account is trying to connect. I
use this app to look at the logs. Its free to try.
http://www.deepsoftware.ru/iasviewer/ It makes them much easier to read.

If the laptop doesn't even try to connect (there are no logs of it
attempting to auth. to the IAS server) then its likely that your Intel NIC
or the app running it is not allowing it to associate to the AP until
someone is logged in. This is unlikely as the Intel 2100 should work
correctly. If the logs show an attempted connect that fails, then you
simply verify why it is failing. The logs are likely to answer that
question for you.

I suspect the logs will tell you exactly what is going on. Its likely that
not remote access policies apply to the computer's security context.
Remember, the computer has an account in the domain that it uses to
automatically log its self in to the domain with. This account needs to
have the appropriate group membership etc to pass your remote access policy.

Cheers,

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Ivo" <Ivo@discussions.microsoft.com> wrote in message
news:EF15A10B-365D-4469-97EA-E9EDFF35BB93@microsoft.com...
> Hello Mark,
>
> I've upgraded to the latest available Intel 2100b driver found on the Acer
> TM803LMi support site. Afterwards I could choose WPA/TKIP in my WXPSP2
> notebook and I changed the settings on the Linksys WAP54G accordingly.
> When
> the notebook is restarted (disconnected from the wired network), I'm
> presented with the logon dialogue and then (after OK) it takes some time,
> but
> unfortunately the message about not being able to reach the roaming
> profile
> reappears. And once logged on, the drive letters to network shares are not
> available (I do NET USE to get the list, it's empty). When I then
> logoff/logon, the situation is different. THis time it takes the roaming
> profile and NET USE shows the drive letters my user likes. But the letters
> still do not appear in his Windows Explorer / My Computer, this takes
> extra
> time, but eventually they become available with no extra actions.
>
> Still some questions about this:
> - is this the best result I can obtain or can we do better?
> - would it work with the roaming profile also after a notebook restart
> (i.e
> on the first logon)
> - would there be a sign indicating that the computer connected OK to the
> domain, or how does the user know how long to wait before clicking OK on
> the
> logon dialog.
>
> Suggestions on how to proceed are very much ppreciated, thanks in advance,
> Ivo
>
> "Mark Gamache" wrote:
>
>> Ivo,
>>
>> This is partly reliant on your hardware and partly on your remote access
>> policy and group membership. Not all wireless hardware will associate to
>> the AP and authenticate without a user logged in. Most will retain the
>> settings of the last user. Assuming that your hardware supports it, you
>> need the computer to be able to log in using its machine account. This
>> means that the computer accounts need to be a member of the wireless
>> group
>> that you are adding your users too. If you are using certificates for
>> TLS,
>> then you will need to make sure the computers have machine certificates.
>>
>> Once you do this, the computer will authenticate to the AP when it boots.
>> This will allow for your users to log into the domain instead of using
>> their
>> cached creds.
>>
>> Cheers,
>>
>>
>> --
>> Mark Gamache
>> Certified Security Solutions
>> http://www.css-security.com
>>
>>
>>
>> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
>> news:EDB2DF53-DFFF-4BEB-85B4-17B1AA4A9158@microsoft.com...
>> > I've set up a secure wireless infrastructure on SBS2000, it's small and
>> > I
>> > test it on one ACER TM803LMi (with the Intel 2100 built-in). It works
>> > with
>> > certificates etc. When I disconnect the cable and restart the PC, then
>> > the
>> > user apparently gets logged on with its cached credentials and then the
>> > wifi
>> > comes up. There was a warning (cannot find your roaming profile) also.
>> > So
>> > the
>> > end result is connectivity but no use of the roaming profile and also
>> > the
>> > user's netlogon script (net use etc) was not executed.
>> > Can wireless connection be combined with roaming profiles?
>> >
>> > Thanks, Ivo
>>
>>
>>
February 10, 2005 5:47:03 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

You were right about not passing 802.1X authentication based on host
verification. I looked into the IAS log and the computer account is not
trying to connect. In the properties of the wireless connection, there's the
Verification (i have it here in Dutch language so the english wording may be
not exactly as my translation) tab and there's IEEE 802.1X verification is
enabled, EAP type is smartcard or other certificate and the check box "verify
as computer when computer information is available" is selected all right.
But there's nothing in the IAS log about the computer trying to connect...

So I'm afraid this is the unlikely option in your diagnosis...
Thanks for your assistance, where do we go from here?

Ivo

P.S. I've tried to run tests with another notebook at home against a SBS2003
installation but ran into a certification problem, so I'll start a new thread
for that one.

"Mark Gamache" wrote:

> Based on your description, I am sure you are not passing 802.1X
> authentication until after the user is logged in. If these laptops are
> going to always be wireless, you will have to resolve the issue. If its not
> resolved, your machine group policy won't work and various things such as
> mapped drives and password expiration warnings will not be generated.
>
> The first place to start is your IAS logs. Boot the laptop but don't login.
> Check your IAS logs to see if the computer account is trying to connect. I
> use this app to look at the logs. Its free to try.
> http://www.deepsoftware.ru/iasviewer/ It makes them much easier to read.
>
> If the laptop doesn't even try to connect (there are no logs of it
> attempting to auth. to the IAS server) then its likely that your Intel NIC
> or the app running it is not allowing it to associate to the AP until
> someone is logged in. This is unlikely as the Intel 2100 should work
> correctly. If the logs show an attempted connect that fails, then you
> simply verify why it is failing. The logs are likely to answer that
> question for you.
>
> I suspect the logs will tell you exactly what is going on. Its likely that
> not remote access policies apply to the computer's security context.
> Remember, the computer has an account in the domain that it uses to
> automatically log its self in to the domain with. This account needs to
> have the appropriate group membership etc to pass your remote access policy.
>
> Cheers,
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com
>
>
>
> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> news:EF15A10B-365D-4469-97EA-E9EDFF35BB93@microsoft.com...
> > Hello Mark,
> >
> > I've upgraded to the latest available Intel 2100b driver found on the Acer
> > TM803LMi support site. Afterwards I could choose WPA/TKIP in my WXPSP2
> > notebook and I changed the settings on the Linksys WAP54G accordingly.
> > When
> > the notebook is restarted (disconnected from the wired network), I'm
> > presented with the logon dialogue and then (after OK) it takes some time,
> > but
> > unfortunately the message about not being able to reach the roaming
> > profile
> > reappears. And once logged on, the drive letters to network shares are not
> > available (I do NET USE to get the list, it's empty). When I then
> > logoff/logon, the situation is different. THis time it takes the roaming
> > profile and NET USE shows the drive letters my user likes. But the letters
> > still do not appear in his Windows Explorer / My Computer, this takes
> > extra
> > time, but eventually they become available with no extra actions.
> >
> > Still some questions about this:
> > - is this the best result I can obtain or can we do better?
> > - would it work with the roaming profile also after a notebook restart
> > (i.e
> > on the first logon)
> > - would there be a sign indicating that the computer connected OK to the
> > domain, or how does the user know how long to wait before clicking OK on
> > the
> > logon dialog.
> >
> > Suggestions on how to proceed are very much ppreciated, thanks in advance,
> > Ivo
> >
> > "Mark Gamache" wrote:
> >
> >> Ivo,
> >>
> >> This is partly reliant on your hardware and partly on your remote access
> >> policy and group membership. Not all wireless hardware will associate to
> >> the AP and authenticate without a user logged in. Most will retain the
> >> settings of the last user. Assuming that your hardware supports it, you
> >> need the computer to be able to log in using its machine account. This
> >> means that the computer accounts need to be a member of the wireless
> >> group
> >> that you are adding your users too. If you are using certificates for
> >> TLS,
> >> then you will need to make sure the computers have machine certificates.
> >>
> >> Once you do this, the computer will authenticate to the AP when it boots.
> >> This will allow for your users to log into the domain instead of using
> >> their
> >> cached creds.
> >>
> >> Cheers,
> >>
> >>
> >> --
> >> Mark Gamache
> >> Certified Security Solutions
> >> http://www.css-security.com
> >>
> >>
> >>
> >> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> >> news:EDB2DF53-DFFF-4BEB-85B4-17B1AA4A9158@microsoft.com...
> >> > I've set up a secure wireless infrastructure on SBS2000, it's small and
> >> > I
> >> > test it on one ACER TM803LMi (with the Intel 2100 built-in). It works
> >> > with
> >> > certificates etc. When I disconnect the cable and restart the PC, then
> >> > the
> >> > user apparently gets logged on with its cached credentials and then the
> >> > wifi
> >> > comes up. There was a warning (cannot find your roaming profile) also.
> >> > So
> >> > the
> >> > end result is connectivity but no use of the roaming profile and also
> >> > the
> >> > user's netlogon script (net use etc) was not executed.
> >> > Can wireless connection be combined with roaming profiles?
> >> >
> >> > Thanks, Ivo
> >>
> >>
> >>
>
>
>
Anonymous
a b F Wireless
February 10, 2005 7:09:27 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Are you using smartcards or software certificates? How are the machine
certificates provisioned? I skimmed back through your posts and didn't see
any reference to the machine certs. You have to have them.

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Ivo" <Ivo@discussions.microsoft.com> wrote in message
news:D BA82155-384D-47A7-B6B8-AEE865C0EACB@microsoft.com...
> You were right about not passing 802.1X authentication based on host
> verification. I looked into the IAS log and the computer account is not
> trying to connect. In the properties of the wireless connection, there's
> the
> Verification (i have it here in Dutch language so the english wording may
> be
> not exactly as my translation) tab and there's IEEE 802.1X verification is
> enabled, EAP type is smartcard or other certificate and the check box
> "verify
> as computer when computer information is available" is selected all right.
> But there's nothing in the IAS log about the computer trying to connect...
>
> So I'm afraid this is the unlikely option in your diagnosis...
> Thanks for your assistance, where do we go from here?
>
> Ivo
>
> P.S. I've tried to run tests with another notebook at home against a
> SBS2003
> installation but ran into a certification problem, so I'll start a new
> thread
> for that one.
>
> "Mark Gamache" wrote:
>
>> Based on your description, I am sure you are not passing 802.1X
>> authentication until after the user is logged in. If these laptops are
>> going to always be wireless, you will have to resolve the issue. If its
>> not
>> resolved, your machine group policy won't work and various things such as
>> mapped drives and password expiration warnings will not be generated.
>>
>> The first place to start is your IAS logs. Boot the laptop but don't
>> login.
>> Check your IAS logs to see if the computer account is trying to connect.
>> I
>> use this app to look at the logs. Its free to try.
>> http://www.deepsoftware.ru/iasviewer/ It makes them much easier to read.
>>
>> If the laptop doesn't even try to connect (there are no logs of it
>> attempting to auth. to the IAS server) then its likely that your Intel
>> NIC
>> or the app running it is not allowing it to associate to the AP until
>> someone is logged in. This is unlikely as the Intel 2100 should work
>> correctly. If the logs show an attempted connect that fails, then you
>> simply verify why it is failing. The logs are likely to answer that
>> question for you.
>>
>> I suspect the logs will tell you exactly what is going on. Its likely
>> that
>> not remote access policies apply to the computer's security context.
>> Remember, the computer has an account in the domain that it uses to
>> automatically log its self in to the domain with. This account needs to
>> have the appropriate group membership etc to pass your remote access
>> policy.
>>
>> Cheers,
>>
>> --
>> Mark Gamache
>> Certified Security Solutions
>> http://www.css-security.com
>>
>>
>>
>> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
>> news:EF15A10B-365D-4469-97EA-E9EDFF35BB93@microsoft.com...
>> > Hello Mark,
>> >
>> > I've upgraded to the latest available Intel 2100b driver found on the
>> > Acer
>> > TM803LMi support site. Afterwards I could choose WPA/TKIP in my WXPSP2
>> > notebook and I changed the settings on the Linksys WAP54G accordingly.
>> > When
>> > the notebook is restarted (disconnected from the wired network), I'm
>> > presented with the logon dialogue and then (after OK) it takes some
>> > time,
>> > but
>> > unfortunately the message about not being able to reach the roaming
>> > profile
>> > reappears. And once logged on, the drive letters to network shares are
>> > not
>> > available (I do NET USE to get the list, it's empty). When I then
>> > logoff/logon, the situation is different. THis time it takes the
>> > roaming
>> > profile and NET USE shows the drive letters my user likes. But the
>> > letters
>> > still do not appear in his Windows Explorer / My Computer, this takes
>> > extra
>> > time, but eventually they become available with no extra actions.
>> >
>> > Still some questions about this:
>> > - is this the best result I can obtain or can we do better?
>> > - would it work with the roaming profile also after a notebook restart
>> > (i.e
>> > on the first logon)
>> > - would there be a sign indicating that the computer connected OK to
>> > the
>> > domain, or how does the user know how long to wait before clicking OK
>> > on
>> > the
>> > logon dialog.
>> >
>> > Suggestions on how to proceed are very much ppreciated, thanks in
>> > advance,
>> > Ivo
>> >
>> > "Mark Gamache" wrote:
>> >
>> >> Ivo,
>> >>
>> >> This is partly reliant on your hardware and partly on your remote
>> >> access
>> >> policy and group membership. Not all wireless hardware will associate
>> >> to
>> >> the AP and authenticate without a user logged in. Most will retain
>> >> the
>> >> settings of the last user. Assuming that your hardware supports it,
>> >> you
>> >> need the computer to be able to log in using its machine account.
>> >> This
>> >> means that the computer accounts need to be a member of the wireless
>> >> group
>> >> that you are adding your users too. If you are using certificates for
>> >> TLS,
>> >> then you will need to make sure the computers have machine
>> >> certificates.
>> >>
>> >> Once you do this, the computer will authenticate to the AP when it
>> >> boots.
>> >> This will allow for your users to log into the domain instead of using
>> >> their
>> >> cached creds.
>> >>
>> >> Cheers,
>> >>
>> >>
>> >> --
>> >> Mark Gamache
>> >> Certified Security Solutions
>> >> http://www.css-security.com
>> >>
>> >>
>> >>
>> >> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
>> >> news:EDB2DF53-DFFF-4BEB-85B4-17B1AA4A9158@microsoft.com...
>> >> > I've set up a secure wireless infrastructure on SBS2000, it's small
>> >> > and
>> >> > I
>> >> > test it on one ACER TM803LMi (with the Intel 2100 built-in). It
>> >> > works
>> >> > with
>> >> > certificates etc. When I disconnect the cable and restart the PC,
>> >> > then
>> >> > the
>> >> > user apparently gets logged on with its cached credentials and then
>> >> > the
>> >> > wifi
>> >> > comes up. There was a warning (cannot find your roaming profile)
>> >> > also.
>> >> > So
>> >> > the
>> >> > end result is connectivity but no use of the roaming profile and
>> >> > also
>> >> > the
>> >> > user's netlogon script (net use etc) was not executed.
>> >> > Can wireless connection be combined with roaming profiles?
>> >> >
>> >> > Thanks, Ivo
>> >>
>> >>
>> >>
>>
>>
>>
February 11, 2005 3:47:02 AM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

I understand your remarkts. I'm using software certificates, this PC has both
user and computer certificates all right. I'll double check it when I get to
that PC. The machine certificates were provisioned through manual
certificates, which was successful. I followed the procedures as in hte
Windows SBS 2003 Administrator's Companion (MS Press book).

Thanks again, Ivo

"Mark Gamache" wrote:

> Are you using smartcards or software certificates? How are the machine
> certificates provisioned? I skimmed back through your posts and didn't see
> any reference to the machine certs. You have to have them.
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com
>
>
>
> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> news:D BA82155-384D-47A7-B6B8-AEE865C0EACB@microsoft.com...
> > You were right about not passing 802.1X authentication based on host
> > verification. I looked into the IAS log and the computer account is not
> > trying to connect. In the properties of the wireless connection, there's
> > the
> > Verification (i have it here in Dutch language so the english wording may
> > be
> > not exactly as my translation) tab and there's IEEE 802.1X verification is
> > enabled, EAP type is smartcard or other certificate and the check box
> > "verify
> > as computer when computer information is available" is selected all right.
> > But there's nothing in the IAS log about the computer trying to connect...
> >
> > So I'm afraid this is the unlikely option in your diagnosis...
> > Thanks for your assistance, where do we go from here?
> >
> > Ivo
> >
> > P.S. I've tried to run tests with another notebook at home against a
> > SBS2003
> > installation but ran into a certification problem, so I'll start a new
> > thread
> > for that one.
> >
> > "Mark Gamache" wrote:
> >
> >> Based on your description, I am sure you are not passing 802.1X
> >> authentication until after the user is logged in. If these laptops are
> >> going to always be wireless, you will have to resolve the issue. If its
> >> not
> >> resolved, your machine group policy won't work and various things such as
> >> mapped drives and password expiration warnings will not be generated.
> >>
> >> The first place to start is your IAS logs. Boot the laptop but don't
> >> login.
> >> Check your IAS logs to see if the computer account is trying to connect.
> >> I
> >> use this app to look at the logs. Its free to try.
> >> http://www.deepsoftware.ru/iasviewer/ It makes them much easier to read.
> >>
> >> If the laptop doesn't even try to connect (there are no logs of it
> >> attempting to auth. to the IAS server) then its likely that your Intel
> >> NIC
> >> or the app running it is not allowing it to associate to the AP until
> >> someone is logged in. This is unlikely as the Intel 2100 should work
> >> correctly. If the logs show an attempted connect that fails, then you
> >> simply verify why it is failing. The logs are likely to answer that
> >> question for you.
> >>
> >> I suspect the logs will tell you exactly what is going on. Its likely
> >> that
> >> not remote access policies apply to the computer's security context.
> >> Remember, the computer has an account in the domain that it uses to
> >> automatically log its self in to the domain with. This account needs to
> >> have the appropriate group membership etc to pass your remote access
> >> policy.
> >>
> >> Cheers,
> >>
> >> --
> >> Mark Gamache
> >> Certified Security Solutions
> >> http://www.css-security.com
> >>
> >>
> >>
> >> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> >> news:EF15A10B-365D-4469-97EA-E9EDFF35BB93@microsoft.com...
> >> > Hello Mark,
> >> >
> >> > I've upgraded to the latest available Intel 2100b driver found on the
> >> > Acer
> >> > TM803LMi support site. Afterwards I could choose WPA/TKIP in my WXPSP2
> >> > notebook and I changed the settings on the Linksys WAP54G accordingly.
> >> > When
> >> > the notebook is restarted (disconnected from the wired network), I'm
> >> > presented with the logon dialogue and then (after OK) it takes some
> >> > time,
> >> > but
> >> > unfortunately the message about not being able to reach the roaming
> >> > profile
> >> > reappears. And once logged on, the drive letters to network shares are
> >> > not
> >> > available (I do NET USE to get the list, it's empty). When I then
> >> > logoff/logon, the situation is different. THis time it takes the
> >> > roaming
> >> > profile and NET USE shows the drive letters my user likes. But the
> >> > letters
> >> > still do not appear in his Windows Explorer / My Computer, this takes
> >> > extra
> >> > time, but eventually they become available with no extra actions.
> >> >
> >> > Still some questions about this:
> >> > - is this the best result I can obtain or can we do better?
> >> > - would it work with the roaming profile also after a notebook restart
> >> > (i.e
> >> > on the first logon)
> >> > - would there be a sign indicating that the computer connected OK to
> >> > the
> >> > domain, or how does the user know how long to wait before clicking OK
> >> > on
> >> > the
> >> > logon dialog.
> >> >
> >> > Suggestions on how to proceed are very much ppreciated, thanks in
> >> > advance,
> >> > Ivo
> >> >
> >> > "Mark Gamache" wrote:
> >> >
> >> >> Ivo,
> >> >>
> >> >> This is partly reliant on your hardware and partly on your remote
> >> >> access
> >> >> policy and group membership. Not all wireless hardware will associate
> >> >> to
> >> >> the AP and authenticate without a user logged in. Most will retain
> >> >> the
> >> >> settings of the last user. Assuming that your hardware supports it,
> >> >> you
> >> >> need the computer to be able to log in using its machine account.
> >> >> This
> >> >> means that the computer accounts need to be a member of the wireless
> >> >> group
> >> >> that you are adding your users too. If you are using certificates for
> >> >> TLS,
> >> >> then you will need to make sure the computers have machine
> >> >> certificates.
> >> >>
> >> >> Once you do this, the computer will authenticate to the AP when it
> >> >> boots.
> >> >> This will allow for your users to log into the domain instead of using
> >> >> their
> >> >> cached creds.
> >> >>
> >> >> Cheers,
> >> >>
> >> >>
> >> >> --
> >> >> Mark Gamache
> >> >> Certified Security Solutions
> >> >> http://www.css-security.com
> >> >>
> >> >>
> >> >>
> >> >> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> >> >> news:EDB2DF53-DFFF-4BEB-85B4-17B1AA4A9158@microsoft.com...
> >> >> > I've set up a secure wireless infrastructure on SBS2000, it's small
> >> >> > and
> >> >> > I
> >> >> > test it on one ACER TM803LMi (with the Intel 2100 built-in). It
> >> >> > works
> >> >> > with
> >> >> > certificates etc. When I disconnect the cable and restart the PC,
> >> >> > then
> >> >> > the
> >> >> > user apparently gets logged on with its cached credentials and then
> >> >> > the
> >> >> > wifi
> >> >> > comes up. There was a warning (cannot find your roaming profile)
> >> >> > also.
> >> >> > So
> >> >> > the
> >> >> > end result is connectivity but no use of the roaming profile and
> >> >> > also
> >> >> > the
> >> >> > user's netlogon script (net use etc) was not executed.
> >> >> > Can wireless connection be combined with roaming profiles?
> >> >> >
> >> >> > Thanks, Ivo
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
February 21, 2005 6:23:09 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

In the meanwhile I have it working nicely at another site. That's SBS2003,
with EAP-TLS and machine connects and then the logon dialogue and after logon
the user connects. Same equipment: Linksys WAP54G and Intel 2100 chip on the
client notebook.

At the site with the problem described in the thread, it's SBS2000, I think
I made everybody believe it was SBS2003 so far... Anyway, on this
installation we still have to hope for the better, at the moment user connect
is OK but no preceding machine connect, nothing is entering the IAS. O how I
would love to solve this issue...

Regards, Ivo



"Ivo" wrote:

> I understand your remarkts. I'm using software certificates, this PC has both
> user and computer certificates all right. I'll double check it when I get to
> that PC. The machine certificates were provisioned through manual
> certificates, which was successful. I followed the procedures as in hte
> Windows SBS 2003 Administrator's Companion (MS Press book).
>
> Thanks again, Ivo
>
> "Mark Gamache" wrote:
>
> > Are you using smartcards or software certificates? How are the machine
> > certificates provisioned? I skimmed back through your posts and didn't see
> > any reference to the machine certs. You have to have them.
> >
> > --
> > Mark Gamache
> > Certified Security Solutions
> > http://www.css-security.com
> >
> >
> >
> > "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> > news:D BA82155-384D-47A7-B6B8-AEE865C0EACB@microsoft.com...
> > > You were right about not passing 802.1X authentication based on host
> > > verification. I looked into the IAS log and the computer account is not
> > > trying to connect. In the properties of the wireless connection, there's
> > > the
> > > Verification (i have it here in Dutch language so the english wording may
> > > be
> > > not exactly as my translation) tab and there's IEEE 802.1X verification is
> > > enabled, EAP type is smartcard or other certificate and the check box
> > > "verify
> > > as computer when computer information is available" is selected all right.
> > > But there's nothing in the IAS log about the computer trying to connect...
> > >
> > > So I'm afraid this is the unlikely option in your diagnosis...
> > > Thanks for your assistance, where do we go from here?
> > >
> > > Ivo
> > >
> > > P.S. I've tried to run tests with another notebook at home against a
> > > SBS2003
> > > installation but ran into a certification problem, so I'll start a new
> > > thread
> > > for that one.
> > >
> > > "Mark Gamache" wrote:
> > >
> > >> Based on your description, I am sure you are not passing 802.1X
> > >> authentication until after the user is logged in. If these laptops are
> > >> going to always be wireless, you will have to resolve the issue. If its
> > >> not
> > >> resolved, your machine group policy won't work and various things such as
> > >> mapped drives and password expiration warnings will not be generated.
> > >>
> > >> The first place to start is your IAS logs. Boot the laptop but don't
> > >> login.
> > >> Check your IAS logs to see if the computer account is trying to connect.
> > >> I
> > >> use this app to look at the logs. Its free to try.
> > >> http://www.deepsoftware.ru/iasviewer/ It makes them much easier to read.
> > >>
> > >> If the laptop doesn't even try to connect (there are no logs of it
> > >> attempting to auth. to the IAS server) then its likely that your Intel
> > >> NIC
> > >> or the app running it is not allowing it to associate to the AP until
> > >> someone is logged in. This is unlikely as the Intel 2100 should work
> > >> correctly. If the logs show an attempted connect that fails, then you
> > >> simply verify why it is failing. The logs are likely to answer that
> > >> question for you.
> > >>
> > >> I suspect the logs will tell you exactly what is going on. Its likely
> > >> that
> > >> not remote access policies apply to the computer's security context.
> > >> Remember, the computer has an account in the domain that it uses to
> > >> automatically log its self in to the domain with. This account needs to
> > >> have the appropriate group membership etc to pass your remote access
> > >> policy.
> > >>
> > >> Cheers,
> > >>
> > >> --
> > >> Mark Gamache
> > >> Certified Security Solutions
> > >> http://www.css-security.com
> > >>
> > >>
> > >>
> > >> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> > >> news:EF15A10B-365D-4469-97EA-E9EDFF35BB93@microsoft.com...
> > >> > Hello Mark,
> > >> >
> > >> > I've upgraded to the latest available Intel 2100b driver found on the
> > >> > Acer
> > >> > TM803LMi support site. Afterwards I could choose WPA/TKIP in my WXPSP2
> > >> > notebook and I changed the settings on the Linksys WAP54G accordingly.
> > >> > When
> > >> > the notebook is restarted (disconnected from the wired network), I'm
> > >> > presented with the logon dialogue and then (after OK) it takes some
> > >> > time,
> > >> > but
> > >> > unfortunately the message about not being able to reach the roaming
> > >> > profile
> > >> > reappears. And once logged on, the drive letters to network shares are
> > >> > not
> > >> > available (I do NET USE to get the list, it's empty). When I then
> > >> > logoff/logon, the situation is different. THis time it takes the
> > >> > roaming
> > >> > profile and NET USE shows the drive letters my user likes. But the
> > >> > letters
> > >> > still do not appear in his Windows Explorer / My Computer, this takes
> > >> > extra
> > >> > time, but eventually they become available with no extra actions.
> > >> >
> > >> > Still some questions about this:
> > >> > - is this the best result I can obtain or can we do better?
> > >> > - would it work with the roaming profile also after a notebook restart
> > >> > (i.e
> > >> > on the first logon)
> > >> > - would there be a sign indicating that the computer connected OK to
> > >> > the
> > >> > domain, or how does the user know how long to wait before clicking OK
> > >> > on
> > >> > the
> > >> > logon dialog.
> > >> >
> > >> > Suggestions on how to proceed are very much ppreciated, thanks in
> > >> > advance,
> > >> > Ivo
> > >> >
> > >> > "Mark Gamache" wrote:
> > >> >
> > >> >> Ivo,
> > >> >>
> > >> >> This is partly reliant on your hardware and partly on your remote
> > >> >> access
> > >> >> policy and group membership. Not all wireless hardware will associate
> > >> >> to
> > >> >> the AP and authenticate without a user logged in. Most will retain
> > >> >> the
> > >> >> settings of the last user. Assuming that your hardware supports it,
> > >> >> you
> > >> >> need the computer to be able to log in using its machine account.
> > >> >> This
> > >> >> means that the computer accounts need to be a member of the wireless
> > >> >> group
> > >> >> that you are adding your users too. If you are using certificates for
> > >> >> TLS,
> > >> >> then you will need to make sure the computers have machine
> > >> >> certificates.
> > >> >>
> > >> >> Once you do this, the computer will authenticate to the AP when it
> > >> >> boots.
> > >> >> This will allow for your users to log into the domain instead of using
> > >> >> their
> > >> >> cached creds.
> > >> >>
> > >> >> Cheers,
> > >> >>
> > >> >>
> > >> >> --
> > >> >> Mark Gamache
> > >> >> Certified Security Solutions
> > >> >> http://www.css-security.com
> > >> >>
> > >> >>
> > >> >>
> > >> >> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> > >> >> news:EDB2DF53-DFFF-4BEB-85B4-17B1AA4A9158@microsoft.com...
> > >> >> > I've set up a secure wireless infrastructure on SBS2000, it's small
> > >> >> > and
> > >> >> > I
> > >> >> > test it on one ACER TM803LMi (with the Intel 2100 built-in). It
> > >> >> > works
> > >> >> > with
> > >> >> > certificates etc. When I disconnect the cable and restart the PC,
> > >> >> > then
> > >> >> > the
> > >> >> > user apparently gets logged on with its cached credentials and then
> > >> >> > the
> > >> >> > wifi
> > >> >> > comes up. There was a warning (cannot find your roaming profile)
> > >> >> > also.
> > >> >> > So
> > >> >> > the
> > >> >> > end result is connectivity but no use of the roaming profile and
> > >> >> > also
> > >> >> > the
> > >> >> > user's netlogon script (net use etc) was not executed.
> > >> >> > Can wireless connection be combined with roaming profiles?
> > >> >> >
> > >> >> > Thanks, Ivo
> > >> >>
> > >> >>
> > >> >>
> > >>
> > >>
> > >>
> >
> >
> >
Anonymous
a b F Wireless
February 21, 2005 7:00:19 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

I reread the thread and am not sure, so I'll ask. Were you able to
provision a machine certificate on the laptop?

Does your AP have any logging features that may give EAP related info and
association info? Before the AP sends you laptops EAP-TLS to the IAS
server, the wireless client must associate. Then the AP sends and
EAP-Request-Identity, which I'm sure this is working if you are getting on
with user certs. You laptop should send and EAP-Response-Identity. The
response is based on the setup of your wireless auth tab. It would help to
know if your PC is association and if it is seeing and responding to the EAP
messages. Only when this works does your IAS server get to see traffic.

Cheers,


--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Ivo" <Ivo@discussions.microsoft.com> wrote in message
news:41CC592A-0893-4E57-8F5D-F0B91F006232@microsoft.com...
> In the meanwhile I have it working nicely at another site. That's SBS2003,
> with EAP-TLS and machine connects and then the logon dialogue and after
> logon
> the user connects. Same equipment: Linksys WAP54G and Intel 2100 chip on
> the
> client notebook.
>
> At the site with the problem described in the thread, it's SBS2000, I
> think
> I made everybody believe it was SBS2003 so far... Anyway, on this
> installation we still have to hope for the better, at the moment user
> connect
> is OK but no preceding machine connect, nothing is entering the IAS. O how
> I
> would love to solve this issue...
>
> Regards, Ivo
>
>
>
> "Ivo" wrote:
>
>> I understand your remarkts. I'm using software certificates, this PC has
>> both
>> user and computer certificates all right. I'll double check it when I get
>> to
>> that PC. The machine certificates were provisioned through manual
>> certificates, which was successful. I followed the procedures as in hte
>> Windows SBS 2003 Administrator's Companion (MS Press book).
>>
>> Thanks again, Ivo
>>
>> "Mark Gamache" wrote:
>>
>> > Are you using smartcards or software certificates? How are the machine
>> > certificates provisioned? I skimmed back through your posts and didn't
>> > see
>> > any reference to the machine certs. You have to have them.
>> >
>> > --
>> > Mark Gamache
>> > Certified Security Solutions
>> > http://www.css-security.com
>> >
>> >
>> >
>> > "Ivo" <Ivo@discussions.microsoft.com> wrote in message
>> > news:D BA82155-384D-47A7-B6B8-AEE865C0EACB@microsoft.com...
>> > > You were right about not passing 802.1X authentication based on host
>> > > verification. I looked into the IAS log and the computer account is
>> > > not
>> > > trying to connect. In the properties of the wireless connection,
>> > > there's
>> > > the
>> > > Verification (i have it here in Dutch language so the english wording
>> > > may
>> > > be
>> > > not exactly as my translation) tab and there's IEEE 802.1X
>> > > verification is
>> > > enabled, EAP type is smartcard or other certificate and the check box
>> > > "verify
>> > > as computer when computer information is available" is selected all
>> > > right.
>> > > But there's nothing in the IAS log about the computer trying to
>> > > connect...
>> > >
>> > > So I'm afraid this is the unlikely option in your diagnosis...
>> > > Thanks for your assistance, where do we go from here?
>> > >
>> > > Ivo
>> > >
>> > > P.S. I've tried to run tests with another notebook at home against a
>> > > SBS2003
>> > > installation but ran into a certification problem, so I'll start a
>> > > new
>> > > thread
>> > > for that one.
>> > >
>> > > "Mark Gamache" wrote:
>> > >
>> > >> Based on your description, I am sure you are not passing 802.1X
>> > >> authentication until after the user is logged in. If these laptops
>> > >> are
>> > >> going to always be wireless, you will have to resolve the issue. If
>> > >> its
>> > >> not
>> > >> resolved, your machine group policy won't work and various things
>> > >> such as
>> > >> mapped drives and password expiration warnings will not be
>> > >> generated.
>> > >>
>> > >> The first place to start is your IAS logs. Boot the laptop but
>> > >> don't
>> > >> login.
>> > >> Check your IAS logs to see if the computer account is trying to
>> > >> connect.
>> > >> I
>> > >> use this app to look at the logs. Its free to try.
>> > >> http://www.deepsoftware.ru/iasviewer/ It makes them much easier to
>> > >> read.
>> > >>
>> > >> If the laptop doesn't even try to connect (there are no logs of it
>> > >> attempting to auth. to the IAS server) then its likely that your
>> > >> Intel
>> > >> NIC
>> > >> or the app running it is not allowing it to associate to the AP
>> > >> until
>> > >> someone is logged in. This is unlikely as the Intel 2100 should
>> > >> work
>> > >> correctly. If the logs show an attempted connect that fails, then
>> > >> you
>> > >> simply verify why it is failing. The logs are likely to answer that
>> > >> question for you.
>> > >>
>> > >> I suspect the logs will tell you exactly what is going on. Its
>> > >> likely
>> > >> that
>> > >> not remote access policies apply to the computer's security context.
>> > >> Remember, the computer has an account in the domain that it uses to
>> > >> automatically log its self in to the domain with. This account
>> > >> needs to
>> > >> have the appropriate group membership etc to pass your remote access
>> > >> policy.
>> > >>
>> > >> Cheers,
>> > >>
>> > >> --
>> > >> Mark Gamache
>> > >> Certified Security Solutions
>> > >> http://www.css-security.com
>> > >>
>> > >>
>> > >>
>> > >> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
>> > >> news:EF15A10B-365D-4469-97EA-E9EDFF35BB93@microsoft.com...
>> > >> > Hello Mark,
>> > >> >
>> > >> > I've upgraded to the latest available Intel 2100b driver found on
>> > >> > the
>> > >> > Acer
>> > >> > TM803LMi support site. Afterwards I could choose WPA/TKIP in my
>> > >> > WXPSP2
>> > >> > notebook and I changed the settings on the Linksys WAP54G
>> > >> > accordingly.
>> > >> > When
>> > >> > the notebook is restarted (disconnected from the wired network),
>> > >> > I'm
>> > >> > presented with the logon dialogue and then (after OK) it takes
>> > >> > some
>> > >> > time,
>> > >> > but
>> > >> > unfortunately the message about not being able to reach the
>> > >> > roaming
>> > >> > profile
>> > >> > reappears. And once logged on, the drive letters to network shares
>> > >> > are
>> > >> > not
>> > >> > available (I do NET USE to get the list, it's empty). When I then
>> > >> > logoff/logon, the situation is different. THis time it takes the
>> > >> > roaming
>> > >> > profile and NET USE shows the drive letters my user likes. But the
>> > >> > letters
>> > >> > still do not appear in his Windows Explorer / My Computer, this
>> > >> > takes
>> > >> > extra
>> > >> > time, but eventually they become available with no extra actions.
>> > >> >
>> > >> > Still some questions about this:
>> > >> > - is this the best result I can obtain or can we do better?
>> > >> > - would it work with the roaming profile also after a notebook
>> > >> > restart
>> > >> > (i.e
>> > >> > on the first logon)
>> > >> > - would there be a sign indicating that the computer connected OK
>> > >> > to
>> > >> > the
>> > >> > domain, or how does the user know how long to wait before clicking
>> > >> > OK
>> > >> > on
>> > >> > the
>> > >> > logon dialog.
>> > >> >
>> > >> > Suggestions on how to proceed are very much ppreciated, thanks in
>> > >> > advance,
>> > >> > Ivo
>> > >> >
>> > >> > "Mark Gamache" wrote:
>> > >> >
>> > >> >> Ivo,
>> > >> >>
>> > >> >> This is partly reliant on your hardware and partly on your remote
>> > >> >> access
>> > >> >> policy and group membership. Not all wireless hardware will
>> > >> >> associate
>> > >> >> to
>> > >> >> the AP and authenticate without a user logged in. Most will
>> > >> >> retain
>> > >> >> the
>> > >> >> settings of the last user. Assuming that your hardware supports
>> > >> >> it,
>> > >> >> you
>> > >> >> need the computer to be able to log in using its machine account.
>> > >> >> This
>> > >> >> means that the computer accounts need to be a member of the
>> > >> >> wireless
>> > >> >> group
>> > >> >> that you are adding your users too. If you are using
>> > >> >> certificates for
>> > >> >> TLS,
>> > >> >> then you will need to make sure the computers have machine
>> > >> >> certificates.
>> > >> >>
>> > >> >> Once you do this, the computer will authenticate to the AP when
>> > >> >> it
>> > >> >> boots.
>> > >> >> This will allow for your users to log into the domain instead of
>> > >> >> using
>> > >> >> their
>> > >> >> cached creds.
>> > >> >>
>> > >> >> Cheers,
>> > >> >>
>> > >> >>
>> > >> >> --
>> > >> >> Mark Gamache
>> > >> >> Certified Security Solutions
>> > >> >> http://www.css-security.com
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
>> > >> >> news:EDB2DF53-DFFF-4BEB-85B4-17B1AA4A9158@microsoft.com...
>> > >> >> > I've set up a secure wireless infrastructure on SBS2000, it's
>> > >> >> > small
>> > >> >> > and
>> > >> >> > I
>> > >> >> > test it on one ACER TM803LMi (with the Intel 2100 built-in).
>> > >> >> > It
>> > >> >> > works
>> > >> >> > with
>> > >> >> > certificates etc. When I disconnect the cable and restart the
>> > >> >> > PC,
>> > >> >> > then
>> > >> >> > the
>> > >> >> > user apparently gets logged on with its cached credentials and
>> > >> >> > then
>> > >> >> > the
>> > >> >> > wifi
>> > >> >> > comes up. There was a warning (cannot find your roaming
>> > >> >> > profile)
>> > >> >> > also.
>> > >> >> > So
>> > >> >> > the
>> > >> >> > end result is connectivity but no use of the roaming profile
>> > >> >> > and
>> > >> >> > also
>> > >> >> > the
>> > >> >> > user's netlogon script (net use etc) was not executed.
>> > >> >> > Can wireless connection be combined with roaming profiles?
>> > >> >> >
>> > >> >> > Thanks, Ivo
>> > >> >>
>> > >> >>
>> > >> >>
>> > >>
>> > >>
>> > >>
>> >
>> >
>> >
February 22, 2005 10:17:03 AM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

I managed to provision a machine certificate on the user's laptop, some weeks
ago. Yesterday I went there with my notebok but alas, there was the MMC
certificate request problem (on my notebook only). So the answer to your
question is: yes.
I will look into your protocol sequence in more detail, but this certainly
happens after the user logs on.
Thanks for your good advice, next time when I am on the W2K SBS site, I will
try to make some progress in finding out what's really wrong???
Thanks again, Ivo
April 12, 2005 4:32:21 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

I have reinstalled the notebook and the problem with requesting certificates
went awas... Now it seems I'm back at the machine authentication. I actually
set some EAPOL registry key called Authmode to 2, thereby forcing machine
authentication only.
Remember I had user authentication working ok, machine authentication not.

When I change this registry key to 2, the wireless notebook shows
"validating identity" and this goes on forever. No reject/accept messages in
the IAS log, nothing in the IAS system event log. The AP is Linksys WAP54G
and has almost no logging feauture. THe IAS is a service of the SBS 2003
does-it-all server. I have requested user and machine certificates.

Are you still there?
Thanks,
Ivo

"Mark Gamache" wrote:

> I reread the thread and am not sure, so I'll ask. Were you able to
> provision a machine certificate on the laptop?
>
> Does your AP have any logging features that may give EAP related info and
> association info? Before the AP sends you laptops EAP-TLS to the IAS
> server, the wireless client must associate. Then the AP sends and
> EAP-Request-Identity, which I'm sure this is working if you are getting on
> with user certs. You laptop should send and EAP-Response-Identity. The
> response is based on the setup of your wireless auth tab. It would help to
> know if your PC is association and if it is seeing and responding to the EAP
> messages. Only when this works does your IAS server get to see traffic.
>
> Cheers,
>
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com
>
>
>
> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> news:41CC592A-0893-4E57-8F5D-F0B91F006232@microsoft.com...
> > In the meanwhile I have it working nicely at another site. That's SBS2003,
> > with EAP-TLS and machine connects and then the logon dialogue and after
> > logon
> > the user connects. Same equipment: Linksys WAP54G and Intel 2100 chip on
> > the
> > client notebook.
> >
> > At the site with the problem described in the thread, it's SBS2000, I
> > think
> > I made everybody believe it was SBS2003 so far... Anyway, on this
> > installation we still have to hope for the better, at the moment user
> > connect
> > is OK but no preceding machine connect, nothing is entering the IAS. O how
> > I
> > would love to solve this issue...
> >
> > Regards, Ivo
> >
> >
> >
> > "Ivo" wrote:
> >
> >> I understand your remarkts. I'm using software certificates, this PC has
> >> both
> >> user and computer certificates all right. I'll double check it when I get
> >> to
> >> that PC. The machine certificates were provisioned through manual
> >> certificates, which was successful. I followed the procedures as in hte
> >> Windows SBS 2003 Administrator's Companion (MS Press book).
> >>
> >> Thanks again, Ivo
> >>
> >> "Mark Gamache" wrote:
> >>
> >> > Are you using smartcards or software certificates? How are the machine
> >> > certificates provisioned? I skimmed back through your posts and didn't
> >> > see
> >> > any reference to the machine certs. You have to have them.
> >> >
> >> > --
> >> > Mark Gamache
> >> > Certified Security Solutions
> >> > http://www.css-security.com
> >> >
> >> >
> >> >
> >> > "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> >> > news:D BA82155-384D-47A7-B6B8-AEE865C0EACB@microsoft.com...
> >> > > You were right about not passing 802.1X authentication based on host
> >> > > verification. I looked into the IAS log and the computer account is
> >> > > not
> >> > > trying to connect. In the properties of the wireless connection,
> >> > > there's
> >> > > the
> >> > > Verification (i have it here in Dutch language so the english wording
> >> > > may
> >> > > be
> >> > > not exactly as my translation) tab and there's IEEE 802.1X
> >> > > verification is
> >> > > enabled, EAP type is smartcard or other certificate and the check box
> >> > > "verify
> >> > > as computer when computer information is available" is selected all
> >> > > right.
> >> > > But there's nothing in the IAS log about the computer trying to
> >> > > connect...
> >> > >
> >> > > So I'm afraid this is the unlikely option in your diagnosis...
> >> > > Thanks for your assistance, where do we go from here?
> >> > >
> >> > > Ivo
> >> > >
> >> > > P.S. I've tried to run tests with another notebook at home against a
> >> > > SBS2003
> >> > > installation but ran into a certification problem, so I'll start a
> >> > > new
> >> > > thread
> >> > > for that one.
> >> > >
> >> > > "Mark Gamache" wrote:
> >> > >
> >> > >> Based on your description, I am sure you are not passing 802.1X
> >> > >> authentication until after the user is logged in. If these laptops
> >> > >> are
> >> > >> going to always be wireless, you will have to resolve the issue. If
> >> > >> its
> >> > >> not
> >> > >> resolved, your machine group policy won't work and various things
> >> > >> such as
> >> > >> mapped drives and password expiration warnings will not be
> >> > >> generated.
> >> > >>
> >> > >> The first place to start is your IAS logs. Boot the laptop but
> >> > >> don't
> >> > >> login.
> >> > >> Check your IAS logs to see if the computer account is trying to
> >> > >> connect.
> >> > >> I
> >> > >> use this app to look at the logs. Its free to try.
> >> > >> http://www.deepsoftware.ru/iasviewer/ It makes them much easier to
> >> > >> read.
> >> > >>
> >> > >> If the laptop doesn't even try to connect (there are no logs of it
> >> > >> attempting to auth. to the IAS server) then its likely that your
> >> > >> Intel
> >> > >> NIC
> >> > >> or the app running it is not allowing it to associate to the AP
> >> > >> until
> >> > >> someone is logged in. This is unlikely as the Intel 2100 should
> >> > >> work
> >> > >> correctly. If the logs show an attempted connect that fails, then
> >> > >> you
> >> > >> simply verify why it is failing. The logs are likely to answer that
> >> > >> question for you.
> >> > >>
> >> > >> I suspect the logs will tell you exactly what is going on. Its
> >> > >> likely
> >> > >> that
> >> > >> not remote access policies apply to the computer's security context.
> >> > >> Remember, the computer has an account in the domain that it uses to
> >> > >> automatically log its self in to the domain with. This account
> >> > >> needs to
> >> > >> have the appropriate group membership etc to pass your remote access
> >> > >> policy.
> >> > >>
> >> > >> Cheers,
> >> > >>
> >> > >> --
> >> > >> Mark Gamache
> >> > >> Certified Security Solutions
> >> > >> http://www.css-security.com
> >> > >>
> >> > >>
> >> > >>
> >> > >> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> >> > >> news:EF15A10B-365D-4469-97EA-E9EDFF35BB93@microsoft.com...
> >> > >> > Hello Mark,
> >> > >> >
> >> > >> > I've upgraded to the latest available Intel 2100b driver found on
> >> > >> > the
> >> > >> > Acer
> >> > >> > TM803LMi support site. Afterwards I could choose WPA/TKIP in my
> >> > >> > WXPSP2
> >> > >> > notebook and I changed the settings on the Linksys WAP54G
> >> > >> > accordingly.
> >> > >> > When
> >> > >> > the notebook is restarted (disconnected from the wired network),
> >> > >> > I'm
> >> > >> > presented with the logon dialogue and then (after OK) it takes
> >> > >> > some
> >> > >> > time,
> >> > >> > but
> >> > >> > unfortunately the message about not being able to reach the
> >> > >> > roaming
> >> > >> > profile
> >> > >> > reappears. And once logged on, the drive letters to network shares
> >> > >> > are
> >> > >> > not
> >> > >> > available (I do NET USE to get the list, it's empty). When I then
> >> > >> > logoff/logon, the situation is different. THis time it takes the
> >> > >> > roaming
> >> > >> > profile and NET USE shows the drive letters my user likes. But the
> >> > >> > letters
> >> > >> > still do not appear in his Windows Explorer / My Computer, this
> >> > >> > takes
> >> > >> > extra
> >> > >> > time, but eventually they become available with no extra actions.
> >> > >> >
> >> > >> > Still some questions about this:
> >> > >> > - is this the best result I can obtain or can we do better?
> >> > >> > - would it work with the roaming profile also after a notebook
> >> > >> > restart
> >> > >> > (i.e
> >> > >> > on the first logon)
> >> > >> > - would there be a sign indicating that the computer connected OK
> >> > >> > to
> >> > >> > the
> >> > >> > domain, or how does the user know how long to wait before clicking
> >> > >> > OK
> >> > >> > on
> >> > >> > the
> >> > >> > logon dialog.
> >> > >> >
> >> > >> > Suggestions on how to proceed are very much ppreciated, thanks in
> >> > >> > advance,
> >> > >> > Ivo
> >> > >> >
> >> > >> > "Mark Gamache" wrote:
> >> > >> >
> >> > >> >> Ivo,
> >> > >> >>
> >> > >> >> This is partly reliant on your hardware and partly on your remote
> >> > >> >> access
> >> > >> >> policy and group membership. Not all wireless hardware will
> >> > >> >> associate
> >> > >> >> to
> >> > >> >> the AP and authenticate without a user logged in. Most will
> >> > >> >> retain
> >> > >> >> the
> >> > >> >> settings of the last user. Assuming that your hardware supports
> >> > >> >> it,
> >> > >> >> you
> >> > >> >> need the computer to be able to log in using its machine account.
> >> > >> >> This
> >> > >> >> means that the computer accounts need to be a member of the
> >> > >> >> wireless
> >> > >> >> group
> >> > >> >> that you are adding your users too. If you are using
> >> > >> >> certificates for
> >> > >> >> TLS,
> >> > >> >> then you will need to make sure the computers have machine
> >> > >> >> certificates.
> >> > >> >>
> >> > >> >> Once you do this, the computer will authenticate to the AP when
> >> > >> >> it
> >> > >> >> boots.
> >> > >> >> This will allow for your users to log into the domain instead of
> >> > >> >> using
> >> > >> >> their
> >> > >> >> cached creds.
> >> > >> >>
> >> > >> >> Cheers,
> >> > >> >>
> >> > >> >>
> >> > >> >> --
> >> > >> >> Mark Gamache
> >> > >> >> Certified Security Solutions
> >> > >> >> http://www.css-security.com
> >> > >> >>
> >> > >> >>
> >> > >> >>
> >> > >> >> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> >> > >> >> news:EDB2DF53-DFFF-4BEB-85B4-17B1AA4A9158@microsoft.com...
> >> > >> >> > I've set up a secure wireless infrastructure on SBS2000, it's
> >> > >> >> > small
> >> > >> >> > and
> >> > >> >> > I
> >> > >> >> > test it on one ACER TM803LMi (with the Intel 2100 built-in).
> >> > >> >> > It
> >> > >> >> > works
> >> > >> >> > with
> >> > >> >> > certificates etc. When I disconnect the cable and restart the
> >> > >> >> > PC,
> >> > >> >> > then
> >> > >> >> > the
> >> > >> >> > user apparently gets logged on with its cached credentials and
> >> > >> >> > then
> >> > >> >> > the
> >> > >> >> > wifi
> >> > >> >> > comes up. There was a warning (cannot find your roaming
> >> > >> >> > profile)
> >> > >> >> > also.
> >> > >> >> > So
> >> > >> >> > the
> >> > >> >> > end result is connectivity but no use of the roaming profile
> >> > >> >> > and
> >> > >> >> > also
> >> > >> >> > the
> >> > >> >> > user's netlogon script (net use etc) was not executed.
> >> > >> >> > Can wireless connection be combined with roaming profiles?
> >> > >> >> >
> >> > >> >> > Thanks, Ivo
> >> > >> >>
> >> > >> >>
> >> > >> >>
> >> > >>
> >> > >>
> >> > >>
> >> >
> >> >
> >> >
>
>
>
!