Guest Marek Posted November 9, 2007 Posted November 9, 2007 Hi everyone, strange problem I have. I use RADIUS server authentication on LINKSYS switch ethernet ports using PEAP MSCHAP V2 on client site. The problem is Computer GPO is trying to apply computer settings before NIC is authenticated and eth.port unlock. Netlogon error 5719 in EventLog. If I disable RADIUS on particular port everything become OK. Booting behavior is like this: 1. Preparing network connections 2. Applying computer settings - only blink 3. CTRL-ALT-DEL logon dialog 4. User GPO after logon work 5 gpupdate /force in command promt works too note: I run the ping from another machine during the startup I recieve response after Applying computer settings, very short time before logon dialog Any suggestions? Thank you Marek
Guest Ryan Hanisco Posted November 10, 2007 Posted November 10, 2007 RE: RADIUS vs. Computer GPO before user logon Marek, This appears to be working as it should, but its seems like you need a longer discovery before the workstation moves on past the computer GPO. Most people wanting to use 802.1x authentication so this by supplying workstation certificates and using IAS as the RADIUS source. This means you can use EAP rather than PEAP and tighten security down further. This also eliminates the problems as the workstations know how to handle IAS 802.1x auth. In Server 2008, this is being packaged as a more standard part of the OS and I am expecting it to become a more common feature on Windows Networks. -- Ryan Hanisco MCSE, MCTS: SQL 2005, Project+ http://www.techsterity.com Chicago, IL Remember: Marking helpful answers helps everyone find the info they need quickly. "Marek" wrote: > Hi everyone, > > strange problem I have. I use RADIUS server authentication on LINKSYS switch > ethernet ports using PEAP MSCHAP V2 on client site. > The problem is Computer GPO is trying to apply computer settings before NIC > is authenticated and eth.port unlock. Netlogon error 5719 in EventLog. > If I disable RADIUS on particular port everything become OK. > > Booting behavior is like this: > 1. Preparing network connections > 2. Applying computer settings - only blink > 3. CTRL-ALT-DEL logon dialog > 4. User GPO after logon work > 5 gpupdate /force in command promt works too > > note: I run the ping from another machine during the startup I recieve > response after Applying computer settings, very short time before logon dialog > > Any suggestions? > > Thank you > > Marek
Guest Marek Posted November 11, 2007 Posted November 11, 2007 RE: RADIUS vs. Computer GPO before user logon Ryan, thank you for your answer. I did what you recommend with partial success. GPO run, what is strange the Netlogon 5719 Event is still logged. The interesting is the Netlogon event on the workstation and IAS event on radius server about granted access are logged in the same time or IAS granted access event is logged few seconds before Netlogon 5719. Netlogon 5719 error: Event Type: Error Event Source: NETLOGON Event Category: None Event ID: 5719 Date: 11. 11. 2007 Time: 0:29:54 User: N/A Computer: PCOVF02 Description: No Domain Controller is available for domain SCT due to the following: There are currently no logon servers available to service the logon request. .. Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 5e 00 00 c0 ^..À Marek "Ryan Hanisco" wrote: > Marek, > > This appears to be working as it should, but its seems like you need a > longer discovery before the workstation moves on past the computer GPO. Most > people wanting to use 802.1x authentication so this by supplying workstation > certificates and using IAS as the RADIUS source. This means you can use EAP > rather than PEAP and tighten security down further. This also eliminates the > problems as the workstations know how to handle IAS 802.1x auth. > > In Server 2008, this is being packaged as a more standard part of the OS and > I am expecting it to become a more common feature on Windows Networks. > -- > Ryan Hanisco > MCSE, MCTS: SQL 2005, Project+ > http://www.techsterity.com > Chicago, IL > > Remember: Marking helpful answers helps everyone find the info they need > quickly. > > > "Marek" wrote: > > > Hi everyone, > > > > strange problem I have. I use RADIUS server authentication on LINKSYS switch > > ethernet ports using PEAP MSCHAP V2 on client site. > > The problem is Computer GPO is trying to apply computer settings before NIC > > is authenticated and eth.port unlock. Netlogon error 5719 in EventLog. > > If I disable RADIUS on particular port everything become OK. > > > > Booting behavior is like this: > > 1. Preparing network connections > > 2. Applying computer settings - only blink > > 3. CTRL-ALT-DEL logon dialog > > 4. User GPO after logon work > > 5 gpupdate /force in command promt works too > > > > note: I run the ping from another machine during the startup I recieve > > response after Applying computer settings, very short time before logon dialog > > > > Any suggestions? > > > > Thank you > > > > Marek
Recommended Posts