RADIUS vs. Computer GPO before user logon

[Guest Marek]

Hi everyone,

 

strange problem I have. I use RADIUS server authentication on LINKSYS switch

ethernet ports using PEAP MSCHAP V2 on client site.

The problem is Computer GPO is trying to apply computer settings before NIC

is authenticated and eth.port unlock. Netlogon error 5719 in EventLog.

If I disable RADIUS on particular port everything become OK.

 

Booting behavior is like this:

1. Preparing network connections

2. Applying computer settings - only blink

3. CTRL-ALT-DEL logon dialog

4. User GPO after logon work

5 gpupdate /force in command promt works too

 

note: I run the ping from another machine during the startup I recieve

response after Applying computer settings, very short time before logon dialog

 

Any suggestions?

 

Thank you

 

Marek

[Guest Ryan Hanisco]

RE: RADIUS vs. Computer GPO before user logon

 

Marek,

 

This appears to be working as it should, but its seems like you need a

longer discovery before the workstation moves on past the computer GPO. Most

people wanting to use 802.1x authentication so this by supplying workstation

certificates and using IAS as the RADIUS source. This means you can use EAP

rather than PEAP and tighten security down further. This also eliminates the

problems as the workstations know how to handle IAS 802.1x auth.

 

In Server 2008, this is being packaged as a more standard part of the OS and

I am expecting it to become a more common feature on Windows Networks.

--

Ryan Hanisco

MCSE, MCTS: SQL 2005, Project+

http://www.techsterity.com

Chicago, IL

 

Remember: Marking helpful answers helps everyone find the info they need

quickly.

 

 

"Marek" wrote:

> Hi everyone,

>

> strange problem I have. I use RADIUS server authentication on LINKSYS switch

> ethernet ports using PEAP MSCHAP V2 on client site.

> The problem is Computer GPO is trying to apply computer settings before NIC

> is authenticated and eth.port unlock. Netlogon error 5719 in EventLog.

> If I disable RADIUS on particular port everything become OK.

>

> Booting behavior is like this:

> 1. Preparing network connections

> 2. Applying computer settings - only blink

> 3. CTRL-ALT-DEL logon dialog

> 4. User GPO after logon work

> 5 gpupdate /force in command promt works too

>

> note: I run the ping from another machine during the startup I recieve

> response after Applying computer settings, very short time before logon dialog

>

> Any suggestions?

>

> Thank you

>

> Marek

[Guest Marek]

RE: RADIUS vs. Computer GPO before user logon

 

Ryan,

 

thank you for your answer.

I did what you recommend with partial success.

 

GPO run, what is strange the Netlogon 5719 Event is still logged.

The interesting is the Netlogon event on the workstation and IAS event on

radius server about granted access are logged in the same time or IAS granted

access event is logged few seconds before Netlogon 5719.

 

Netlogon 5719 error:

 

Event Type: Error

Event Source: NETLOGON

Event Category: None

Event ID: 5719

Date: 11. 11. 2007

Time: 0:29:54

User: N/A

Computer: PCOVF02

Description:

No Domain Controller is available for domain SCT due to the following:

There are currently no logon servers available to service the logon request.

..

Make sure that the computer is connected to the network and try again. If

the problem persists, please contact your domain administrator.

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 5e 00 00 c0 ^..À

 

Marek

 

"Ryan Hanisco" wrote:

> Marek,

>

> This appears to be working as it should, but its seems like you need a

> longer discovery before the workstation moves on past the computer GPO. Most

> people wanting to use 802.1x authentication so this by supplying workstation

> certificates and using IAS as the RADIUS source. This means you can use EAP

> rather than PEAP and tighten security down further. This also eliminates the

> problems as the workstations know how to handle IAS 802.1x auth.

>

> In Server 2008, this is being packaged as a more standard part of the OS and

> I am expecting it to become a more common feature on Windows Networks.

> --

> Ryan Hanisco

> MCSE, MCTS: SQL 2005, Project+

> http://www.techsterity.com

> Chicago, IL

>

> Remember: Marking helpful answers helps everyone find the info they need

> quickly.

>

>

> "Marek" wrote:

>

> > Hi everyone,

> >

> > strange problem I have. I use RADIUS server authentication on LINKSYS switch

> > ethernet ports using PEAP MSCHAP V2 on client site.

> > The problem is Computer GPO is trying to apply computer settings before NIC

> > is authenticated and eth.port unlock. Netlogon error 5719 in EventLog.

> > If I disable RADIUS on particular port everything become OK.

> >

> > Booting behavior is like this:

> > 1. Preparing network connections

> > 2. Applying computer settings - only blink

> > 3. CTRL-ALT-DEL logon dialog

> > 4. User GPO after logon work

> > 5 gpupdate /force in command promt works too

> >

> > note: I run the ping from another machine during the startup I recieve

> > response after Applying computer settings, very short time before logon dialog

> >

> > Any suggestions?

> >

> > Thank you

> >

> > Marek