OK, I've found it. It's not actually a registry key, it's a GPO itself :)
In order to ensure that the wireless connection is fully established
(authenticated and IPed) before the login box appears (therefore
ensuring that computer GPOs are applied and users are not logged in via
cached credentials and get their user GPOs and login scripts), you need
to change the "Always wait for network at startup and logon" policy
setting on the client machine to "true". This is apparently a
recommended practice by several folks at Microsoft. It changes the
startup/logon so that it acts identically to how it was in Windows 2000.
I would recommend that you go ahead and set this in your domain so that
new machines get the policy, however, due to the fact that computer GPOs
don't get downloaded to the client machines with the current setup,
you're likely to have to set this manually on the client machines that
are having issues. You'll find this setting using the Group Policy MMC
snap-in. Edit the Local Computer group policies, and navigate to "Local
Computer Policy\Computer Configuration\Administrative
Templates\System\Logon". You'll find this setting under there. I've
tested it here, and it does appear to work as advertised. My machines
no longer show the login box until after I've seen a successful 802.1x
authentication on the wireless adapter.
--Mike
Michael Griego wrote:
Are you using IAS for your RADIUS server? If so, what you may be
running into is just Windows XP's helpful
bring-the-login-box-up-before-the-network-is-ready feature. Windows
2000 and below wouldn't show you the login box until the network
connections had been completed, however Windows XP will show it before
its done. This, combined with eager users, means that a login attempt
will occur before the machine can contact a domain controller,
resulting in the use of cached credentials, etc.
Unfortunately I can't remember or put my finger on document that lists
the exact registry key at the moment, but there is a registry key in
XP that you can set that will change the behavior so that the login
window is *not* displayed until XP has brought up all the network
connections, including 802.1x authenticated connections.
--Mike
Katie Rose wrote:
At Notre Dame, we're finding some issues when using 802.1x on
computers that belong to our Active Directory domain. The
authentication to access the wireless network appears to happen after
the user has actually logged into the computer, so some GPOs to
manage the computer don't get applied properly during login. Is
anyone else seeing this issue? If so, how are you handling it?
Thanks in advance,
Katie Rose
University of Notre Dame - OIT
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
