Wireless Networks Thread, Ruckus, domain not available and EAP-TLS in Technical; We're running a Ruckus wireless system here and although generally very happy with it we find the Windows XP (SP3) ...
24th October 2011, 10:59 AM #1
Ruckus, domain not available and EAP-TLS
We're running a Ruckus wireless system here and although generally very happy with it we find the Windows XP (SP3) clients regularly fail to connect with the error '<domain> not available'
This is running WPA2-AES with Radius and computer authentication. As we have lots of netbooks/laptops this is a fairly frequent and annoying problem. It can always be fixed by hard wiring the netbook, running GPUpdate and then rebooting so its not an issue with the wireless side.
So, I'd like to try and set this up to use client certificates (EAP-TLS) to remove any issues with the XP client losing settings. I've got auto enrollment on and the clients show a valid certificate from our internal CA. I've set the wireless connection to use 'Smart card or other certificate' and specified the CA in the server list. The clients can see the WLAN but always fail to connect with the error 'Windows cannot find a certificate to log you on..' which is where it all falls apart!
I can see the local machine certificate and thats fine, the CA is fine and the wireless is fine. So can XP SP3 copy with EAP-TLS or am I just stuck with the problem?
I've already check MS article 929847 and set the AuthMode to computer authentication only but thats made no difference!
Edit: I've just found the following error being logged in the IAS server:
'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider'
I've checked on the IAS server and our CA is in the Trusted Root CA list and has 4 years before expiry!
Last edited by Sheridan; 24th October 2011 at 11:43 AM.
IDG Tech News
24th October 2011, 11:48 AM #2
This is an XP issue due to wireless and wired auth not being synchronised with the netlogon service. You can add a delay before netlogon gives up trying to get the policy but it only helps a little. I doubt the certificates will help as the services will still start in the wrong order.
Originally Posted by Sheridan
Microsoft fixed it in Vista onwards but have no plans to do the same with XP. You will probably find it is worse on the faster machines due to the services starting more quickly.
24th October 2011, 12:00 PM #3
That would explain why the Win7 netbooks don't have the problem!
24th October 2011, 12:01 PM #4
I was using 802.1x wired auth, it got bad enough to move everything to Vista for a year before going to 7!
Originally Posted by Sheridan
24th October 2011, 12:03 PM #5
24th October 2011, 12:14 PM #6
Ah I've already got that registry patch in place - it didn't seem to make much difference. Its such a random occurence but we can have anything from 1 to 10 of these fail at any one time. Its a right pain and I can't believe MS haven't patched it. I thought using EAP-TLS might help but I might be better looking to move to Win7
24th October 2011, 02:21 PM #7
Has anyone got EAP-TLS working in this sort of environment? I would like to try it out at least to rule it out!
By mitchell1981 in forum Wireless Networks
Last Post: 18th November 2010, 11:51 AM
By Rydra in forum Windows
Last Post: 12th February 2010, 03:42 PM
By Gibbo in forum How do you do....it?
Last Post: 27th November 2008, 03:52 PM
Last Post: 15th June 2007, 01:01 PM
By Uraken in forum Wireless Networks
Last Post: 2nd March 2007, 10:33 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)