Dear all,
I'm struggling with a problem to get single sign-on 802.1x
functionality to work on DHCP-enabled Windows XP Prof SP1/ Windows
2000 Server SP4 machines in combination with a HP Procurve 5300 switch
(latest firmware installed) and Microsoft's W2K IAS/ AD SP4 (all wired
clients and servers). Since Microsoft told us single sing-on isn't
possible with the built-in 802.1x functionality (the MD5-Challenge
process times out, after which the same domain credentials have to be
provided again), we looked at Funk's Odyssey Client v2.2 and
Meetinghouse's Aegis Client v2.1. However, so far no success! W2K
Server and XP both give the same problems. The example below is for
W2K Server.
First the Aegis client:
- First the W2K server is cross-cabled with the W2K AD server.
- I installed it using an account with administrator privileges,
selected the MD5-Challenge, and restarted the service in Client
Manager.
- The server is rebooted, I log on with the Aegis account (which is a
member of the Domain Admin group)
- I get the screen that this is the first time I log on whith an
active Aegis client. I again select MD5-Challenge.
- The Client Service is started in services.msc, designated to start
automatically, and started using the aegis user account.
- I reboot the server and put it on the Procurve switch.
Now I expected to see the DHCP exchange process to occur (just like
the manual tells me), as well as the domain-level group policy to be
applied to the XP machine. None of that! It's not even queued in one
way or another. If I login with the Aegis account (same as the account
name that runs the Aegis Client service), I immediately get the
correct IP address from the DHCP server. Logging on using a test
account succeeds (the Aegis client icon in the status bar is even
green!), but I receive an address from the APIPA range, which after 30
seconds or so is refreshed, after which the correct 10 range address
is issued by DHCP. Funny thing is that the first RADIUS request I see
comes from the end user, not from the service account, which I had
expected.
No matter what combination of user accounts and privileges I use (also
for the Aegis service), it doesn't work. Has anyone experienced the
same problem?
About the Odyssey client: Logging in with privileges prior to Windows
logon (using the GINA module) on a non-DHCP host works more or less
fine. That is, if I enter user credentials of a user whose password is
not stored using reversible encryption, I get an error message. (OK so
far) But if I immediately try to log on with another after that
account whose password IS stored using reversible encryption, I get
the window to enter my domain credentials *again*. RADIUS packets
didn't even make it to the IAS server the first time.
DHCP enabled hosts using a machine logon and then a user logon is the
same disaster as Aegis. The IP address is once again issued
immediately after hitting Ctrl-Alt-Del (and prior to providing user
credentials). The switch port just hangs on "Connecting", and then
"Authenticated". Again no machine GPO settings are being applied.
It's driving me nuts! I really like the idea of 802.1x; a working
design would be even nicer.
Casper.
|
Similar Threads
Linear Mode
