Home > Archive > MSDN > June 2006 > How to get Group Policy over wireless BEFORE logon
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How to get Group Policy over wireless BEFORE logon
|
|
| David Hartley 2006-06-24, 8:00 am |
| Hi all,
I have a problem i've been battling with for a few months now..
Ultimately, my problem is that we have 100-150 staff who have laptops with
wireless, but at the moment the laptops don't connect to the network until
the users login. When they type their username / password in, they're
authenticated against wireless (with LEAP / PEAP) and they logon
successfully, but I need the computer policies to apply to these particular
laptops, as we use GP to push out applications and computer-based settings.
We use Intel & cisco wireless cards, and I heard a couple of days ago in a
Cisco seminar that they have utilities that will enable clients to connect to
the wireless network (as i understand, certificate based) in order to obtain
an IP address and therefore receive the Group Policy settings that we specify.
Does anyone know how to get wireless laptops to get Group Policy when the
machines start up?
Thanks in advance,
David Hartley.
| |
| Gerry Hickman 2006-06-24, 8:00 am |
| Hi David,
> authenticated against wireless (with LEAP / PEAP) and they logon
> successfully, but I need the computer policies to apply to these particular
> laptops, as we use GP to push out applications and computer-based settings.
What a horrible thought; they'll try to log in and then everything will
grind to a halt while your "policies and applications" start to
instantiate in the background, and then tons of things will break and
require reboots because files will be locked by the fact they are logged in!
Out of interest, how do you patch them each month?
I'm glad I'm on a FAT Gigabit LAN and can do all this stuff at 02:00hrs
and only have to reboot them once a month on patch day thereby offering
a seamless user experience.
I did do something half way to what you're talking about with our
wireless laptops; I set the SSID to a fixed value and then changed the
auth to allow based on MAC address, this way as soon as the laptop is
connected, it's magically on the LAN regardless of whether they've
logged in, but I had to hack some files related to WLanProfiles. I use
Win2k, it's probably different on XP. I can't stand XP, and Vista is
even worse - slow, bloated and stupid.
--
Gerry Hickman (London UK)
| |
| David Woodward 2006-06-24, 8:00 am |
| I'm actually doing this at home on my own network, but I'm using 802.11x
(IAS/RADIUS) authentication with certificates for my wireless clients. How
are your clients authenticating with the access points?
I'm not positive it can be done with standard PEAP. Essentially what you
need is the computer to connect using its own credentials. So, you may need
to make sure the laptops' computer accounts in active directory have the same
access as the user accounts (group membership/group polcies) so that they can
be authenticated through the wireless connection.
You might consider reading this article for more information:
http://www.microsoft.com/technet/pr...oy/ed80211.mspx
Or more specifically, this section of that article which defines methods for
forcing computerONLY authentication so that users are never actually
authenticating with the wireless access points. (They still log in to the
domain and get their own group policies etc. They just never intiate the
wireless connection.)
http://www.microsoft.com/technet/pr...0211.mspx#EEVAG
I hope this helps.
"David Hartley" wrote:
> Hi all,
> I have a problem i've been battling with for a few months now..
> Ultimately, my problem is that we have 100-150 staff who have laptops with
> wireless, but at the moment the laptops don't connect to the network until
> the users login. When they type their username / password in, they're
> authenticated against wireless (with LEAP / PEAP) and they logon
> successfully, but I need the computer policies to apply to these particular
> laptops, as we use GP to push out applications and computer-based settings.
> We use Intel & cisco wireless cards, and I heard a couple of days ago in a
> cisco seminar that they have utilities that will enable clients to connect to
> the wireless network (as i understand, certificate based) in order to obtain
> an IP address and therefore receive the Group Policy settings that we specify.
>
> Does anyone know how to get wireless laptops to get Group Policy when the
> machines start up?
>
> Thanks in advance,
> David Hartley.
|
|
|
|
|