802.1x user authentication on local pc and not from AD

[Guest]

Hi,

my configuration:
WinXP sp2 (using protected EAP-no certificate authentication- ms chap 2)
HP Switches with two Vlan
Cisco Secure ACS 3.3 (RADIUS server)
Microsoft Win2003r2 AD

The switches are managing two lans. One is the guest lan and the other one
is the official network. The users are authenticated trough their network
profile/password over the Cisco Radius server, that inquires the ACtive
Directory. If ok the switch assign to the computer an IP of the official
network, if not an ip address of the guest lan.

The problem is that when the users logs in, they are authenticated on the
WinXP cached local profile, and only in a second time (after one minute) they
are authenticated from the Active Directory, and receive the correct IP
address

This means that no login messages appear (password to change...),
programs launched at startup fails to connect to the network,
users that don't have already a local profile are not able to connect to
the pc anymore.

 

[Andrew]

Hi,

my configuration:
WinXP sp2 (using protected EAP-no certificate authentication- ms chap 2)
HP Switches with two Vlan
Cisco Secure ACS 3.3 (RADIUS server)
Microsoft Win2003r2 AD

The switches are managing two lans. One is the guest lan and the other one
is the official network. The users are authenticated trough their network
profile/password over the Cisco Radius server, that inquires the ACtive
Directory. If ok the switch assign to the computer an IP of the official
network, if not an ip address of the guest lan.

The problem is that when the users logs in, they are authenticated on the
WinXP cached local profile, and only in a second time (after one minute) they
are authenticated from the Active Directory, and receive the correct IP
address

This means that no login messages appear (password to change...),
programs launched at startup fails to connect to the network,
users that don't have already a local profile are not able to connect to
the pc anymore.

802.1x can do two types of authentication: computer (sometimes called
machine or host) authentication and user authentication. It sounds like
you're only doing user auth, which means that until the user is logged in to
XP and THEN to the switch, you have no connectivity.

To get around this you'll have to enable computer authentication as well.
In the Network properties authentication tab, make sure "Authenticate as
computer when computer information is available" is checked. You'll also
have to make sure that the computer is put in the right VLAN. Can the Guest
VLAN access the AD? If so, putting the computer into the Guest VLAN is
probably best, but if not you'll have to put the computer into the
"official" network. Another option is to create a 3rd VLAN that only has
access to the AD and other necessary resources for the computer to log in
and use that.

So when a machine boots up and gets to the GINA (login screen) and before
the user is logged on, it will have network access. When the user logs on,
it will authenticate the user and put them in the appropriate VLAN. Make
sure that your AuthMode DWORD is set to 1 in your registry as well for all
this to work.

Good luck.