Application Note

Resolving Domain GPO and Scripting Failures with 802.1X
Purpose
When working in a Windows domain environment, introducing 802.1X can cause timing issues and race conditions, which result in problems such as domain server lockouts, a failure of Group Policy Objects (GPOs) to load, and/or domain scripts to run. This document will discuss solutions to these issues, which are most common on fast machines. WARNING: This document describes modification of the Windows Registry and Group Policy Objects. Modifying registry values incorrectly can render your machine useless. Meetinghouse is not responsible for any damage or loss incurred as a result of registry or GPO modifications.

Environment
Software Required
AEGIS Client – version 2.2.3.0 or greater.

Introduction
In a domain logon environment, the AEGIS client should be configured for logon-time authentication only. Typically, logon credentials will be used to achieve a Single Sign On (SSO). To implement this on the authenticator side, the RADIUS server will typically use Active Directory (or an NT store) as the credential repository. During logon-time authentication, the AEGIS client will interrupt and hold the Winlogon process after the collection of credentials used to perform the 802.1X authentication. As part of a success, the server will pass any required RADIUS attributes to the NAS, such as those required for VLAN switching. The NAS will pass the EAP success to the client, which will then issue a DHCP release/renew to obtain an IP. In the case of a success, control will be returned to Winlogon after the client receives an IP, indicating connectivity. Control will also be returned to Winlogon in failure scenarios, such as when authentication fails, a timeout occurs, or the user hits the “Cancel” button on the client’s popup to stop waiting for the authentication to succeed. Even if the authentication succeeds, during the authentication the Group Policy Engine and AD are still active and may enter a race condition or timeout due to the lack of network connectivity. By the time Winlogon has control and the PC has network connectivity (on the correct VLAN), the window for downloading of GPOs and scripts may have already passed. The following modifications, which will be discussed in this document, appear to improve the chances of success: Resetting the Windows Cached Domain Logon Registry value Migrating to SP2 Windows Logon Serialization (on XP) Extending Registry Entries

Procedures
Use the following procedures to implement solutions to common domain GPO and scripting issues encountered with 802.1X.

Resetting the Windows Cached Domain Logon Registry
We recommend setting the Windows CachedLogonsCount registry key to 0 before making other modifications. This value determines the number of cached domain login attempts allowed when the network domain controller is unavailable. A value of 0 forces logon to the domain controller, as opposed to a logon using the cached credentials. Any errors contacting the domain controller will then generate an immediate Windows error, which would not manifest
50 International Drive, Suite 100 | Portsmouth, New Hampshire 03801 | United States of America www.mtghouse.com | info@mtghouse.com | 1.603.430.7710 | fax: 1.603.430.8436 Page 1 of 5 | 4-Aug-2005 © 2005 Meetinghouse Data Communications, Incorporated. All rights reserved.

Application Note
if using cached credentials. The location of the key is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\cachedLogonsCount. (If it does not exist, create it as type REG_SZ.) This key is illustrated below.

Migrating to SP2
GPO and domain scripting failures occur on XP Pro SP1 and SP2, and Windows 2K. We have not received reports about working with a client running on NT4. Although our sample size is not large, it seems that the problems discussed in this document are less likely to occur with Win2K. If working in XP, it is advisable that you migrate to SP2, since all Meetinghouse development and most testing is done against SP2.

Windows Logon Serialization (on XP)
When working in XP, the Windows logon processes (initiated under the WinLogon process) operate significantly in parallel. By contrast, when working in Windows 2K, these actions are significantly done in serial. We have found, in some cases, that setting a GPO value which essentially restores the Win2K serial style eliminates GPO and scripting problems. This is accomplished by using the Group Policy Editor as follows:

50 International Drive, Suite 100 | Portsmouth, New Hampshire 03801 | United States of America www.mtghouse.com | info@mtghouse.com | 1.603.430.7710 | fax: 1.603.430.8436 Page 2 of 5 | 4-Aug-2005 © 2005 Meetinghouse Data Communications, Incorporated. All rights reserved.

Application Note
1. 2. 3. From the Windows desktop, select Start > Run. Enter gpedit.msc in the file Open field of the Run window and click on OK. From the file directory in the resulting window, select: Group Policy > Computer Configuration >

Administrative Templates > System > Logon

If the Administrative Templates are not present: Right-click Computer Configuration, select Add and select the System template.

4.

Under Setting, right-click Always wait for the network at computer startup and logon and select Properties.

50 International Drive, Suite 100 | Portsmouth, New Hampshire 03801 | United States of America www.mtghouse.com | info@mtghouse.com | 1.603.430.7710 | fax: 1.603.430.8436 Page 3 of 5 | 4-Aug-2005 © 2005 Meetinghouse Data Communications, Incorporated. All rights reserved.

Application Note
5. From the Settings tab, select Enabled.

Extending Registry Entries
Modifying or adding the GpNetworkStartTimeoutPolicyValue pair of registry values is the most important action to take to allow more time for the GPOs to come down from the domain server. To do this, use the Registry Editor to set (and if necessary to create) the following two registry entries using the values shown: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "GpNetworkStartTimeoutPolicyValue"=dword:00000258 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "GpNetworkStartTimeoutPolicyValue"=dword:00000258 This implements a Microsoft hot fix which is documented at: http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 The hot fix extends the period available for GPOs and scripts to come down from the domain controller after 802.1X authentication. The values given above represent decimal 600 seconds, and are the maximum permitted. The Microsoft document recommends 60 seconds, but we have reports that this is not adequate, and that using the longer
50 International Drive, Suite 100 | Portsmouth, New Hampshire 03801 | United States of America www.mtghouse.com | info@mtghouse.com | 1.603.430.7710 | fax: 1.603.430.8436 Page 4 of 5 | 4-Aug-2005 © 2005 Meetinghouse Data Communications, Incorporated. All rights reserved.

Application Note
value does not create any delays. It has also been reported that even longer values, up to decimal 5000, can improve function. For more information please follow the link above. An illustration of the first key is shown below:

Further Questions
For further questions, contact Meetinghouse Support at: http://support.mtghouse.com

50 International Drive, Suite 100 | Portsmouth, New Hampshire 03801 | United States of America www.mtghouse.com | info@mtghouse.com | 1.603.430.7710 | fax: 1.603.430.8436 Page 5 of 5 | 4-Aug-2005 © 2005 Meetinghouse Data Communications, Incorporated. All rights reserved.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.