802.1x Wireless User Auth w/ XP Mandatory Profiles?

[ChrisCole]

Hi there,

Anyone ever had problems with 802.1x (EAP-MS-CHAPV2) user authentication over wireless not working when using mandatory user profiles (WinXP, SP3)?

When a user logs on with a mandatory profile the RADIUS server (IAS on 2008) just sees repeated attempts to authenticate, but there's never an IAS_SUCCESS event indicating a proper connection (the clients stall at the 'validating identity' stage). Simply changing the profile to a normal roaming profile (NTUSER.MAN --> NTUSER.DAT, no other changes) results in everything working fine with successful authentication, and connection, etc. Rather odd and rather frustrating - the lack of anything on Google makes me wonder if it mightn't be an SP3 foible, but annoyingly I don't have any SP2 machines immediately to hand...

Will crack out Wireshark/Process Monitor tomorrow and figure this out, but kind of hopeful someone here might well have experienced this before?

Cheers,

Chris.

[FN-GM]

Have you tired recreating a profile?

Z

[risbell]

Did anyone find a fix for this problem. I am having the same thing happen.

Thanks

Ricky

[plexer]

Interesting we use machine authentication here so don't have an issue with user profiles.

Ben

[spc-rocket]

Hi there,

Anyone ever had problems with 802.1x (EAP-MS-CHAPV2) user authentication over wireless not working when using mandatory user profiles (WinXP, SP3)?

When a user logs on with a mandatory profile the RADIUS server (IAS on 2008) just sees repeated attempts to authenticate, but there's never an IAS_SUCCESS event indicating a proper connection (the clients stall at the 'validating identity' stage). Simply changing the profile to a normal roaming profile (NTUSER.MAN --> NTUSER.DAT, no other changes) results in everything working fine with successful authentication, and connection, etc. Rather odd and rather frustrating - the lack of anything on Google makes me wonder if it mightn't be an SP3 foible, but annoyingly I don't have any SP2 machines immediately to hand...

Will crack out Wireshark/Process Monitor tomorrow and figure this out, but kind of hopeful someone here might well have experienced this before?

Cheers,

Chris.

Hi,

I don;t know if mandatory profile locks down the registry but with that setup the users will need access to HKEY_CURRENT_USER\Software\Microsoft\EAPOL\UserEap Info

Try to see if access is denied to this section of the registry.

Ash.

[risbell]

Interesting we use machine authentication here so don't have an issue with user profiles.

Ben

Yeah, we have to use Computer Authentication now since SP3. Whatever happened, SP3 it. We had no problem until we upgraded to SP3. Wonder why Microsoft would have disabled 802.1x User Authenication with Mandatory Profiles?

Thanks

Ricky

[mrayner]

I am also having the same problem.... after taking forever to narrow down...

No one have a proper fix without moving to computer auth or changing to roaming profiles.....?

[korupt_coupe]

We are also having this issue - what brand of Access Points are you using?

Has there been any solution to this without changing Authentication types?

[trolley01]

Just been working on this issue myself, and have found a solution.

Microsoft have released a hotfix to solve the problem, which allows user authentication to take place using 802.1x on Windows XP SP3.

A Windows XP Service Pack 3-based client computer cannot use the IEEE 802.1x authentication when you use PEAP with PEAP-MSCHAPv2 in a domain

Hope this helps.

[DaveT]

Hiya

we had a similar problem, dont have time to check if its same as the one posted above but ours turned out to be a server2008 issue.

search for and read up on KB969111, sorry if its the same as already posted

Dave