Main Nav

We have a number of laptops that are mobile labs (Tanks) and in the library for students to check out.

We push the 802.1x settings via AD and it works very well.  The problem we have run into is that when we have login set to 'user or computer' and check single sign-on it comes up and logs into the network using the computer name just fine.  But then when the user logs in it immediately authenticates 802.1x as the user and then proceeds to churn until ultimately failing with "No logon servers found".  

The strangest thing about this is that packet captures reveal that while the machine is churning it is sending out ARPs for its gateway.  The gateway replies but the client ignores it.  It does this 30-40 times before giving up.

If the user has logged onto the machine before they will get on with cached credentials and they will be fine, other than being grumpy over how long it takes to get on.  If they have never logged on before they will get the dreaded "No logon servers found"

Doing a 'ARP -a' at the command line reveals the gateway address is listed and the machine is able to browse just fine.

I don't think this is a wireless\policy issue as I set up the client to get our IT_Admins profile no matter what and also after the client finally stops asking for the gateway's mac address everything is fine.

Our work around is to just set it to Computer authentication only.  This is a bummer because we lose visibility as well as the ability to apply user based profiles.


--
John Kaftan
IT Infrastructure Manager
Utica College

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Do you have this issue if you leave computer and user but uncheck Single Sign On?

 

As far as I know, Single Sign-on is an alternative to machine authentication. I don’t think it is designed to be used with it.

 

By default, Windows will switch to user authentication at the desktop.

 

Single sign allows the users credentials to be used to authenticate and contact AD vs machine auth which uses the computers account to contact AD.

 

Tim

 

 

Tim Cappalli  |  ACCP /  ACMP /  CCNA
Wireless Engineer  |  Brandeis University
cappalli@brandeis.edu | (617) 701-7149

 

I tried that and got the same results.

I am able to get a packet capture of the traffic just before it hits the radio and can see that the arp replies are making it that far.  So I believe they are getting "on-the-air" to get back to my client.  I have found that if I have logged on the machine successfully before I get on the desktop.  If I have not logged onto the machine before I get "No logon servers found".  I installed Wireshark on one of the machines and was able to get on the desktop and run Wireshark while this is happening and I do not see any packets reaching the machine via the wireless NIC.  However, if I disconnect and reconnect from the wireless network it starts working immediately.

I am not sure about the ins and outs of what is going on with 802.1x and Enterprise WPA2 but I believe the encryption key comes from a combination of the username and password if you are not using certificates.  I am wondering if my issue is that the client or the wireless controller is not re-keying the encryption when the user changes from computer to user.  If that was the case the AP would be sending the encryption using one key and client would be deciphering using another key thus the traffic would never hit the stack.  



We have started using a group policy for user AD authentication on our loaner laptops, here are the instructions sent to the desktop folks:

 

Click Start

In the search box type group policy

Press ENTER

Open the following folder:

Computer Configuration > Administrative Templates > System > Logon

 

Double click on the Always wait for the network at computer startup and logon setting

 

Click the radio button to Enabled

Click OK and Exit Local Group Policy Editor

Restart the machine, disconnect from the wired network and verify the logon process works for a new user

 

We use user authentication only, so there may be a change for you. Test it, let me know if it works in your environment as well.


Thanks.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan
Sent: Monday, February 10, 2014 3:58 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Strange 802.1x behavior with single signon

 

I tried that and got the same results.

 

I am able to get a packet capture of the traffic just before it hits the radio and can see that the arp replies are making it that far.  So I believe they are getting "on-the-air" to get back to my client.  I have found that if I have logged on the machine successfully before I get on the desktop.  If I have not logged onto the machine before I get "No logon servers found".  I installed Wireshark on one of the machines and was able to get on the desktop and run Wireshark while this is happening and I do not see any packets reaching the machine via the wireless NIC.  However, if I disconnect and reconnect from the wireless network it starts working immediately.

 

I am not sure about the ins and outs of what is going on with 802.1x and Enterprise WPA2 but I believe the encryption key comes from a combination of the username and password if you are not using certificates.  I am wondering if my issue is that the client or the wireless controller is not re-keying the encryption when the user changes from computer to user.  If that was the case the AP would be sending the encryption using one key and client would be deciphering using another key thus the traffic would never hit the stack.  

 

 

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.