Win 7 client with machine and user auth stuck in 802.1x_REQD

Hi everybody
we have a WLC 5508 with 7.2.110.0 and an ACS 5.3 and do the following:
- Win 7 client gets a GPO object with the wlan configuration for "Machine and User authentication" with PEAP
- On ACS 5.3 I configured correctly the authentication and authorization for first machine authentication and then user authentication ("Was machine authenticated = true)
- First when machine authentication happens, the client is configured into a quarantine VLAN, where it is only allowed to communicate with the domain controllers
- When the user authenication happens, the client is moved into the productive client vlan with no restrictions.
Everything works fine, except that after the user loggs in, it takes about 3 minutes until the client answers the EAP Identity Request and loggs in, see attached screenshot or the screenshot below:
In the client status on WLC i can see that the client is stuck in the 802.1x_REQD state for these 3 minutes, until suddenly it authenticates (but then very often, about 5 times - see screenshot).
We tried the following to find the problem spot. but we were not able to locate the problem:
- Configure the machine and user authentication into the same vlan all the time
- ONLY user authentication on the client
- Played with the Win 7 settings (timers, and so on)
- When we manually configured the WLAN profile on the Win 7 client and saved it, the Win 7 client connected to the SSID without any problems and without any delay (about 5 seconds after the save)
Did someone ever had the same issue?
Thanks a lot and best regards
Dominic

Hi Amjad
very good point on this, thanks a lot. In this case, I did not even think about the client firmware side, thought that I should be the WLC or the client settings, but not the driver. We will give a shot on this next week, maybe this will help us to solve the problem.
It is normal to have the clietn in 802.1x_REQD if it is not yet authenticated and that is the expected state to be at in your situation untlil the client fully authenticates.
Absolutely correct that the client is associated and in the 802.1x_REQD state as long as the authenticator did not get the EAP identity Response, but that the client takes such a long time to answer is not normal ;-)
- What is the supplicant that is used on the windows machines? default WLAN supplicant? or you use some commercial supplicants?
WZC.
- what is the result when testing with user auth only?
The same, it takes such a long time.
- what ist he result when testing with machine auth only?
Machine authentication works as expected, fast and as soon as the client is booted, the client gets authenticated.
Regards and have a nice weekend
Dominic

Similar Messages

  • 802.1x with machine and user auth

    Q: What happens if a user passes machine authentication but fails user authentication when performing 802.1x?
    A: In AOS dot1x profile, we have an option to enforce machine authentication.
    When enabled, we can be in more control of the devices that have passed/failed machine/user authentication.
    Once a user has passed machine authentication, by default the client will fall under the role configured in "Machine Authentication: Default Machine Role" under dot1x profile.  
    Below is an example which shows the client has passed only machine authentication but user authentication is not yet initiated. 
    (Aruba3400) #show user-table
    Users
        IP             MAC            Name     Role      Age(d:h:m)  Auth        VPN link  AP name            Roaming   Essid/Bssid/Phy               Profile  Forward mode  Type  Host Name
    10.17.169.92  3c:a9:f4:7f:84:54  test      guest     00:00:00    8021x-Machine            18:64:72:c6:d7:28  Wireless  akhil/18:64:72:ed:72:80/g-HT  akhil    tunnel  
    There are scenarios where the clients will pass machine authentication, but for some reason will fail user authentication. In this scenario, clients will not be present in the user-table of the controller anymore. 
    When a client fails user authentication irrespective of passing/failing machine authentication, controller will send a deauth to the client and remove the entry from the user-table.

    Hi Amjad
    very good point on this, thanks a lot. In this case, I did not even think about the client firmware side, thought that I should be the WLC or the client settings, but not the driver. We will give a shot on this next week, maybe this will help us to solve the problem.
    It is normal to have the clietn in 802.1x_REQD if it is not yet authenticated and that is the expected state to be at in your situation untlil the client fully authenticates.
    Absolutely correct that the client is associated and in the 802.1x_REQD state as long as the authenticator did not get the EAP identity Response, but that the client takes such a long time to answer is not normal ;-)
    - What is the supplicant that is used on the windows machines? default WLAN supplicant? or you use some commercial supplicants?
    WZC.
    - what is the result when testing with user auth only?
    The same, it takes such a long time.
    - what ist he result when testing with machine auth only?
    Machine authentication works as expected, fast and as soon as the client is booted, the client gets authenticated.
    Regards and have a nice weekend
    Dominic

  • RDP with 802.1x, machine and user auth and dynamic VLAN

    Hi,
    we have 802.1x implemented with machine and user auth. We also use dynamic VLAN assignment. Our client is AnyConnect 3.1. Operating system is Windows 7. With Windows XP, it works just fine.
    When we try to connect to the 802.1x auth desktop with RDP (desktop is machine authenticated, no user is logged in), we are able to authenticate but as soon as VLAN and IP address changes according to user authentication profile, RDP session is terminated. It is not just disconnected but remote user is logged out and AnyConnect reverts 802.1x session back to machine VLAN. We cannot login with RDP and just loop between machine-user-machine authentication.
    With this behavior the TermDD message (ID 56) can be seen in system log. Following the response 
    http://social.technet.microsoft.com/Forums/windows/en-US/b7814ec3-6a49-469c-8773-909c50415942/the-rdp-protocol-component-x224-detected-an-error-in-the-protocol-stream-and-has-disconnected-the
    , I was able to get rid of TermDD message but I still loop in machine-user-machine authentication.
    The following is TermDD message:
    +
    System
    Provider
    [  Name]
    TermDD
    EventID
    56
    [  Qualifiers]
    49162
    Level
    2
    Task
    0
    Keywords
    0x80000000000000
    TimeCreated
    [  SystemTime]
    2013-06-10T09:25:28.515308700Z
    EventRecordID
    26643
    Channel
    System
    Computer
    XTCSSPWA03.cen.csint.cz
    Security
    EventData
    \Device\Termdd
    10.190.64.208
    0000040002002C000000000038000AC00000000038000AC000000000000000000000000000000000410200D0
    Binary data:
    In Words
    0000: 00040000 002C0002 00000000 C00A0038 
    0008: 00000000 C00A0038 00000000 00000000
    0010: 00000000 00000000  D0000241
    In Bytes
    0000: 00 00 04 00 02 00 2C 00    ......,.
    0008: 00 00 00 00 38 00 0A C0   ....8..À
    0010: 00 00 00 00 38 00  0A C0   ....8..À
    0018: 00 00 00 00 00 00 00 00   ........
    0020: 00 00 00  00 00 00 00 00   ........
    0028: 41 02 00 D0               A..Ð
    Also AnyConnect shows that upon successful authentication and DHCP operation, it catches some exception and reverts back from user to machine VLAN:
    3876: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-6-INFO_MSG: %[tid=1436][mac=1,6,d4:85:64:b8:43:61]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: Authentication Success
    3877: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} canceling existing DHCP work
    3878: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ipv4: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} stop
    3879: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_ECHO, ifIndex(1), pData(0x0103FA38), dataLen(0) (cimdIo.cpp 2156)
    3880: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
    3881: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} creating a new DHCP work
    3882: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: CancelCmd [state: COMPLETE]
    3883: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-6-INFO_MSG: %[tid=1436][mac=1,6,d4:85:64:b8:43:61]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: DHCP: Sending DHCP request
    3884: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: queueing DHCP work
    3885: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ipv4: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} start
    3886: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_ECHO, ifIndex(1), pData(0x0103FA3C), dataLen(2) (cimdIo.cpp 2156)
    3887: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)  data follows ... (cimdIo.cpp 2159)
    3888: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)      08 06                                                .. (cimdIo.cpp 2159)
    3889: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
    3890: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)  pEthTypes data follows ... (cimdIo.cpp 2273)
    3891: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)      06 08                                                .. (cimdIo.cpp 2273)
    3892: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connect {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} starting
    3893: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: StartCmd [state: COMPLETE]
    3894: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) S_ndisIoControl: returning cached xmitLinkSpeed: 100000000 bps (cimdIo.cpp 3558)
    3895: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) NDIS OID: ifIndex=1 GET OID_GEN_LINK_SPEED(0x10107) datalen=4, cbRW=4 cbNeeded=0 acErr=0 winErr=0 (cimdIo.cpp 3686)
    3898: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: AccessStateMachine current state = ACCESS_CONNECTED, received adapterState = authenticated
    3899: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: port authentication succeeded
    3900: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: AccessStateMachine new state = ACCESS_CONNECTED
    3901: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Cancel event [state: COMPLETE]
    3902: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: state: COMPLETE -> INIT
    3903: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Get-Connectivity event [state: INIT]
    3904: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: state: INIT -> WAIT_FOR_CONNECTIVITY
    3905: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 Connectivity Result: IN_PROGRESS
    3906: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: GetConnectiviyCmd [state: WAIT_FOR_CONNECTIVITY]
    3907: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connectivity Result: FAILURE
    3908: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Check-Connectivity event [state: WAIT_FOR_CONNECTIVITY]
    3909: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: (initial) ipCfg: IP:10.190.95.74(255.255.255.248) GW:10.190.64.1
    3910: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: TestConnectivityCmd [state: WAIT_FOR_CONNECTIVITY]
    3911: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: API (3) event: complete (portWorkList.c 130)
    80: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAMSSO-7-DEBUG_MSG: %[tid=1524]: Tx CP Msg: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ssc="http://www.cisco.com/ssc" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body>  <networkStateEvent>   <sequenceNumber>19</sequenceNumber>   <groupName>Local networks</groupName>   <networkName>CS-wired-pass</networkName>   <networkState>AcquiringIpAddress</networkState>   <adapterName>Broadcom NetXtreme Gigabit Ethernet</adapterName>   <serverVerifiedName>ise-2.csint.cz</serverVerifiedName>  </networkStateEvent> </SOAP-ENV:Body></SOAP-ENV:Envelope>
    3912: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: PORT (3) port: ARP_REQ (portMsg.c 731)
    3913: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_SEND, ifIndex(1), pData(0x024EEB40), dataLen(64) (cimdIo.cpp 2156)
    3914: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3)  data follows ... (cimdIo.cpp 2159)
    3915: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3)      00 00 00 00 FF FF FF FF  FF FF D4 85 64 B8 43 61     ........ ....d.Ca      08 06 00 01 08 00 06 04  00 01 D4 85 64 B8 43 61     ........ ....d.Ca      0A BE 5F 4A 00 00 00 00  00 00 0A BE 40 01 00 00     .._J.... ....@...      00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00     ........ ........ (cimdIo.cpp 2159)
    3941: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
    3942: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 Connectivity Result: SUCCESS
    3943: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connectivity Result: FAILURE
    3944: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ACE: adapter SM current: state(STATE_AUTHENTICATED), event(EVENT_IP_CONNECTIVITY)
    3945: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ACE: adapter SM state change: STATE_AUTHENTICATED -> STATE_CONNECTED
    3946: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: handleEventAndDoStateTransitionAction action : ACTION_IP_CONNECTIVITY
    3947: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) S_ndisIoControl: returning cached xmitLinkSpeed: 100000000 bps (cimdIo.cpp 3558)
    3948: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) NDIS OID: ifIndex=1 GET OID_GEN_LINK_SPEED(0x10107) datalen=4, cbRW=4 cbNeeded=0 acErr=0 winErr=0 (cimdIo.cpp 3686)
    1: XTCSSPWA03: 6 10 2013 11:24:54.007 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {25CBB996-92ED-457E-B28C-4774084BD562} LogLevel=0xF
    2: XTCSSPWA03: 6 10 2013 11:24:54.007 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
    3: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({25CBB996-92ED-457E-B28C-4774084BD562}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
    4: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000001FC050) instantiated for CLSID:{25CBB996-92ED-457E-B28C-4774084BD562}
    5: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {3DD6BEC0-8193-4FFE-AE25-E08E39EA4063} LogLevel=0xF
    6: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
    7: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({3DD6BEC0-8193-4FFE-AE25-E08E39EA4063}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
    8: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000001FC850) instantiated for CLSID:{3DD6BEC0-8193-4FFE-AE25-E08E39EA4063}
    9: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {503739D0-4C5E-4CFD-B3BA-D881334F0DF2} LogLevel=0xF
    10: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\System32\VaultCredProvider.dll.
    11: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({503739D0-4C5E-4CFD-B3BA-D881334F0DF2}): Attempting to load Dir=C:\windows\System32, FileName=VaultCredProvider.dll
    12: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003A30B0) instantiated for CLSID:{503739D0-4C5E-4CFD-B3BA-D881334F0DF2}
    13: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {6F45DC1E-5384-457A-BC13-2CD81B0D28ED} LogLevel=0xF
    14: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
    15: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({6F45DC1E-5384-457A-BC13-2CD81B0D28ED}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
    16: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003AF710) instantiated for CLSID:{6F45DC1E-5384-457A-BC13-2CD81B0D28ED}
    17: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {8BF9A910-A8FF-457F-999F-A5CA10B4A885} LogLevel=0xF
    18: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved SmartcardCredentialProvider.dll.
    19: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({8BF9A910-A8FF-457F-999F-A5CA10B4A885}): Attempting to load Dir=, FileName=SmartcardCredentialProvider.dll
    20: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003B7D70) instantiated for CLSID:{8BF9A910-A8FF-457F-999F-A5CA10B4A885}
    21: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {94596C7E-3744-41CE-893E-BBF09122F76A} LogLevel=0xF
    22: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved SmartcardCredentialProvider.dll.
    23: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({94596C7E-3744-41CE-893E-BBF09122F76A}): Attempting to load Dir=, FileName=SmartcardCredentialProvider.dll
    24: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003C03D0) instantiated for CLSID:{94596C7E-3744-41CE-893E-BBF09122F76A}
    25: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {AC3AC249-E820-4343-A65B-377AC634DC09} LogLevel=0xF
    26: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\System32\BioCredProv.dll.
    27: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({AC3AC249-E820-4343-A65B-377AC634DC09}): Attempting to load Dir=C:\windows\System32, FileName=BioCredProv.dll
    28: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003CABC0) instantiated for CLSID:{AC3AC249-E820-4343-A65B-377AC634DC09}
    29: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {B12744B8-5BB7-463A-B85E-BB7627E73002} LogLevel=0xF
    30: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CClassFactory(00000000001FFF00)  CreateInstance calling CoCreateInstance on MS password cred prov
    31: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {6F45DC1E-5384-457A-BC13-2CD81B0D28ED} LogLevel=0xF
    32: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
    33: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({6F45DC1E-5384-457A-BC13-2CD81B0D28ED}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
    34: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003D3220) instantiated for CLSID:{6F45DC1E-5384-457A-BC13-2CD81B0D28ED}
    35: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003DB880) instantiated for CLSID:{B12744B8-5BB7-463A-B85E-BB7627E73002}
    36: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435} LogLevel=0xF
    37: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\certCredProvider.dll.
    38: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435}): Attempting to load Dir=C:\windows\system32, FileName=certCredProvider.dll
    39: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003E3EE0) instantiated for CLSID:{E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435}
    3963: XTCSSPWA03: 6 10 2013 11:24:59.247 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\os\win\osAsync_win.c:233: => SL_STATUS_NO_CONNECTION
    3964: XTCSSPWA03: 6 10 2013 11:24:59.247 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\win\ipcPipeBase_win.c:102: => SL_STATUS_NO_CONNECTION
    3965: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\win\ipcPipeBase_win.c:194: => SL_STATUS_NO_CONNECTION
    3966: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\ipcFuncs.c:105: => SL_STATUS_NO_CONNECTION
    3967: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: CAUGHT: NoConnectionException
    3968: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: CoreLib:TRACE: context=acnam, thread join, ThreadImpl.cpp:58, m00585050, err=0(OS_OK), thread_id=2460
    3969: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: CoreLib:TRACE: context=acnam, thread join, ThreadImpl.cpp:58, m00585838, err=0(OS_OK), thread_id=3692
    89: XTCSSPWA03: 6 10 2013 11:25:06.367 -0100: %NAMSSO-7-DEBUG_MSG: %[tid=1228]: ServiceControlHandlerEx:WTS_SESSION_LOGOFF, Session ID: 1
    If we do not change VLAN from machine to user, it works just fine.
    Have anybody seen this problem? Have anybody fixed it?
    Thanx, Martin

    Hi,
    unfortunately not.
    I have gone through extensive troubleshooting from Microsoft and Cisco sides twice and the result is:
    1) AnyConnect performs EAPol logoff when it detects RDP session termination. So it goes from user to machine authentication
    2) Windows 7 performs RDP session termination when IP address changes due to the change of VLAN (from machine VLAN to user VLAN)
    Cisco claims that AnyConnect behavior is correct and Microsoft claims that they do not want to change this behavior (reset of RDP session).
    I can imagine that Cisco can detect whether RDP session was terminated due to the IP address change or not and do not revert back to machine authentication in such a case.
    In fact there was nobody at Cisco that was willing to listen to me or accept this like something that needs a fix. The only thing you can do is to enable "Extend connection beyond logoff". AnyConnect does not send EAPol logoff if it detects RDP session termination and you can establish another RDP session which does not fail and you stay connected with RDP.
    Martin

  • 802.1x Machine and User Auth Vlan assignments

    I have machine and user auth working between Win2K PC and ACS 3.3 but not sure how to best use the Vlan assignment feature. I use Vlans for different departments and if I assign a vlan in ACS to a machine when it authenticates but the user is assigned to a different Vlan, I don't get a renewed IP.
    Here is how it's working now:
    1. Machine authenticates to ACS and assigned to a Vlan
    2. User logs in and if they are assigned to the same Vlan as the machine, works fine. If assigned to another vlan, the switchport does get changed but the PC still has an IP from the initial Vlan it was assigned to. Releasing and renewing doesn't work but I really don't expect it to.
    So, I figure the solution to this is just not set a per user vlan and only set it per machine. But, the group mapping in ACS looked like a great way to assign Vlans based on a user's Active Directory group but it doesn't appear to recognize the different computer OU's we have. So I can assign vlan's based on user groups but not computer groups. As machines are added to ACS, I could change them to an ACS group with the Vlan set but this would be a lot more work than an automated method like unknown user policy.
    So, how are others assigning machines to vlans in large multi-vlan networks using ACS and 802.1x?

    By default users and computers belong to different global groups. "Domain Users" vs. "Domain Cmpouters" for example.
    As for your example, it seems like you have a misbehaving supplicant, and authentication is attempting and then timing out and starting over .. that never actually gets to fail, so the auth-fail stuff won't help.
    Note: A good way to troubleshoot this is to notice it in action via show command:
    Here's an example of what you should see on a switch port.
    AuthSM State = State of the 802.1X Authenticator PAE state machine
    VALUES:
    AUTHENTICATED -- Auth Succeeded
    AUTHENTICATING -- Auth is attempting
    CONNECTING -- Dot1x is up and configured and trying to locate a supplicant.
    HELD -- Auth probably failed.
    BendSM State = State of the 802.1X back-end authentication state machine
    VALUES:
    IDLE -- Nothing is happening.
    REQUEST -- Switch sent some EAP data to AAA, and is waiting to get something back.
    RESPONSE -- AAA sent the switch back some data, and the switch in turn asked the supplicant for more data.
    NOTE: You should rarely see the RESPONSE state above. If you see it for more than a second or so i nthe middle of an auth attempt, that's a smoking gun that you might have a mis-behaving supplicant, b/c it shouldn't take that long to send an EAPOL frame. The switch will eventually time out, and start auth over.
    Hope this helps,

  • Cisco WLC + ACS + AD for Machine AND User auth...

    So I am trying to implement an SSID that requires a machine to be a domain member, AND require the user to provide username/password credentials before being allowed on that SSID.
    I am reading that it is possible, but can't find a clear config on how it is supposed to be setup... read about Machine Access Restrictions as being part of the config.
    Any help here?
    WLC 7.6 and ACS 5.5
    -g

    We are testing ISE with EAP chaining. It allows you to validate the company device (laptop) is joined to the domain and then the user credentials. However this requires EAP-FAST and the Cisco Anyconnect client. There is a group set up to look at EAP-TEAP. This will allow for standardize "chaining"
    http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01#page-5

  • EAP-TLS machine and user cert or both

    If I use machine and user certificates does that mean the machine get's an IP address, authenticates, the user then logs on which causes another DHCP renew and user authentication?  Is it better to use machine and user or just machine?

    It depends on your needs and applications, the advantage of also using machine authentication is that the machine connects, authenticates and is on the wireless network irrelevant of whether a user has logged in, which means you can remote access or monitor the machine at that point. I know alot of facilities that do it that way because they manage the machines with things like SMS, etc..   Without machine authentication the computer won't attach to the wireless until a user physically logs into the machine at which point it pass authentication.
    personally I like the machine authentication that way you can push updates and other things to the machines without having to either send a person to the machine to login or waiting for a user to login so that you can access the machine, it just needs to be on.
    in short machine authentication replicates being hardwired to the network.
    Hope this helps...  please rate useful posts.
    Thanks,
    Kayle

  • Impossible to set up a TC with admin and users privileges

    Hi,
    Sorry for my english first. I'm not an english speaker...
    That's one week I'm playing with my Tc to try to set it up with admin and users privileges and and doesn't succeed to find a good way to do it....
    What I want to do: set up my Tc so that I'm an admin and can do whatever I want in the folders of each user. I want the user to have access to one folder with their name. Let's say I would like to user my TC like a usual network drive or NAS.
    What I discover: if I enable file sharing with accounts on my TC and define two users user1 and user2 with Read write privileges, user1 can see a folder user1 and put whatever he wants in it and there's a share folder for user1 and user2. BUT I cannot be admin on the TC when account filesharing is on. It means I cannot put anything in user1 folder beacuse I don't see user1 folder. It is just like if you have user accounts on TC you can just change the privileges but not defined an administrator. I'm able to see user1 folder for instance solely changing the filesharing back to secure shared disks "with time capsule password". If i do so I can see all the folders on the TC.
    But it's very annoying because it means that each time I want to put a file inside the folder of one of my user, I have to restart my TC "with time capsule password", put the file, set it up back to user account and restart again the TC.... Not really practical!
    Anyone got an idea how to use the Tc with user accounts (one admin and others users...)

    I forgot to mention that I tried also another method: giving guest access to TC to my two users but there are several problems here: first they can only read (if not they would have the same privileges as me) what means they can put any document in the TC. Second, they see all the folders on the TC and the idea is that they can only see the shared one....

  • My iPhone 5 cant sync with itunes and its always stuck at the backup phase

    My iPhone 5 cant sync with itunes and its always stuck at backing up phase. I tried to update my ios(mine is 7.1.2) and it states that the iphone update server could not be contacted. make sure your network settings are correct and your network connection is active. Likewise when I try to update my iTunes through the help column(check for updates), it also says the same thing as when I try to update my ios on iTunes. Please help!

    Read here:
    http://support.apple.com/kb/TS1538

  • Flash Player 11.6.602.180 installed on Win 7 with IE and can never play videos from

    Hi, I installed Flash Player 11.6.602.180 installed on Win 7 with IE and can never play videos from this site http://w3.newsmax.com/newsletters/uwr/video_hyman.cfm?s=al&promo_code=12CF6-1
    any idea what this site is looking for ? thanks bill m

    What do you see instead of the expected Flash content?

  • User auth fails using 802.1x (EAP-TLS)

    I'm currently testing 802.1x machine and user authentication using EAP-TLS. Right now I'm testing them separately, and machine auth works great, but user auth doesn't.
    Here's what I'm using:
    Smart Cards ->
    Built-in Microsoft XP supplicant ->
    Catalyst 4006 Switch ->
    Cisco Secure ACS 3.3 ->
    Microsoft Active Directory
    After I log in using the smart card, an EAPOL message from the computer is sent to the switch, and the switch replies asking for the computer to identify itself, but the computer does nothing. The switch continues asking and finally gives up because of no response. The ACS server logs no traffic from the supplicant.
    Is this a supplicant issue? Using PEAP MSCHAPv2 with secured passwords works fine, but not with certificates.

    I found my answer. The problem was with the Microsoft supplicant. It wasn't prompting me to type in the PIN to unlock the smart card, so it couldn't read the certificate and thus the EAP process was timing out.
    In order for the Windows supplicant to prompt the user for the smart card PIN, the "Show icon in notification area when connected" checkbox in the Local Area Connection properties windows must be checked. They may want to think about renaming that box... :-)

  • Identifying connection/datasource by application name, machine and user

    Hi,
    I am implementing a Java app to gather few connection related statistics. As part of this, in the JDBC layer, I want to identify the connection by app name, os/app user and client's machine name. I searched for all the ways an oracle app would set these attributes. I have some queries around them, will be grateful if somone can respond and clarify them. Here are my findings/observations
    *1. DataSource.setConnectionProperties() with v$session param and values for program, osuser, machine*
    It appears setting the v$session.program, v$session.osuser and v$session.machine on datasource is a preferred way to set the client information for v10.2 and higher. Is my assumption that this is the predominant/preferred way oracle apps would set the client information valid ?
         Properties props = new Properties();
         props.put("v$session.program", "OracleApp");
         props.put("v$session.osuser", "human");
         props.put("v$session.machine", "dale");
         ds.setConnectionProperties(props);*2. OracleConnection.setClientData() with key-value*
    There is a method setClientData but available only with OracleConnection as class referrence (needs cast). It seems to be a deprecated in 10g. Does anyone know why is this deprecated and replaced by what ? Hope it is not deprecated due to JDBC 4.0 spec, which is not supported by Oracle
         OracleConnection conn_ = (OracleConnection) con;
         conn_.setClientData("ApplicationName", "OracleApp");
         conn_.setClientData("ClientHostname", "dale");
         conn_.setClientData("ClientUser", "human");*3. Connection.setClientInfo() with ApplicationName, ClientHostname, ClientUser*
    Apparently, JDBC 4.0 has exposed api-s to set/get clientInfo values that I am looking for. But surprisingly, oracle doesn't seem to have correctly implemented these methods. I get SQLClientInfoException for the above values and when I do DatabaseMetaData.getClientInfoProperties I get empty Properties object. Does this indicate 0 keys are supported ? Or is there any special setting/configuration I have to executed to allow setting of keys?
         ResultSet clientInfoProperties = con.getMetaData().getClientInfoProperties();
         while (clientInfoProperties.next()) { // next() returns false
              System.out.println(clientInfoProperties.getString(1));
         Properties properties = new Properties();
         properties.put("ApplicationName", "OracleApp");
         properties.put("ClientHostname", "dale");
         properties.put("ClientUser", "human");
         con.setClientInfo(properties);
         // throws java.sql.SQLClientInfoException and e.getFailedProperties() returns
         // {ClientUser=REASON_UNKNOWN, ApplicationName=REASON_UNKNOWN, ClientHostname=REASON_UNKNOWN}
         // and e.getMessage() returns Invalid or unsupported name for clientInfo.*4. Other ways to set/get client info using connection or datasource ?*
    Apart from the above, are there other ways to set/get client info on connection or datasource objects ? how do oracle apps in general handle this kind of need.
    If someone has some insight on my queries, will appreciate if you can spare some time replying to this thread.
    Thanks
    Rajesh

    bumping it up. Can anyone help ?
    -Rajesh

  • MBAM 2.5 - Connection between Machines and Users in DB Error

    Hey everyone.
    I'm having a bit of trouble deploying MBAM 2.5.
    I had a previous installation of MBAM 2.0. The 2.5 installation went smooth, the GPOs are deployed and everything is working well. Except for one thing. I can't rescue TPM passwords or use Drive Recovery if I complete the User Domain and User fields in the
    forms.
    After consulting the database I can see that both ComplianceCore.Machines_Users and RecoveryandHardwareCore.Machines_Users is not updating, thus not associating users with the respective computers. All else is working great, all tables are being refreshed
    with Machines, Volumes and Users. Only thing not working is the association of Users with Machines.
    Is this a known bug or could there be something wrong in my configuration?
    Thanks in advance,
    Miguel Duarte

    That can be the issue as well, see this: http://technet.microsoft.com/en-us/library/dn645378.aspx It reads the following:
    The enterprise domain must contain at least one Windows Server 2008 (or later) domain controller.
    If it is possible, can you share your inetpub folder with me? it should be on the IIS server, a root directory of the IIS server. 
    thanks!
    Mayank Sharma Support Engineer at Microsoft working in Enterprise Platform Support.

  • AP350 with LEAP and MAC-Auth

    Hi,
    is there any solution for this?
    I'd like to do LEAP and MAC-Auth with Microsoft IAS-Server instead of Cisco ACS.
    With ACS everything works fine but i have to buy the licences. For IAS i already have them but always 'EAP authentication method is unrecognized'.
    The clients all use W2K Prof.- no XP anywhere, so i can't go to EAP-TLS.
    thanks in advance
    Thomas / Networking admin

    Sorry, but LEAP is today only available on :
    Cisco Secure ACS
    Cisco Access Registrar
    Funk Software Radius
    Interlink Radius

  • Is it possible to do machine and user authentication in same Authorization profile?

    Hi,
    I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...
    Condition
    IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
    Permissions
    then Vlan x
    Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.
    Any help will be of great value.

    Hi,
    IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )
    - Not possible
    As user and machine authentication occur at different contexts.
    ACS cannot verify the both at the same time.
    Using MAR, you can, though club the both together and achieve:
    "machine is part of domain and user is valid only then he should be able to have full access"
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978
    Tips for configuring MAR:
    1) Set the client to perform user or computer authentication.
    2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).
    3) Enable MAR under the AD configuration page on ACS and set the aging time.
    4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.
    Rate if useful

  • DNS Registration for clients with WLAN and LAN adapters

    I have read a number of articles and it seems that there are a number of people who have problems with DNS and workstations with both WLAN and LAN adapters. I haven't however found workable solutions.
    Workstation Connection Objective:
    To enable DNS discovery and Ip connection to client workstations regardless of whether the client is using the WLAN or LAN. Enabling users to use either Wireless or LAN adapter adhoc. ie they dock their laptops at their desks, and undock to take their laptops
    to meetings or consulations with peers. I need to be able to discover and connect to the workstations irrespective of the adapter being used at any time.
    Most people seem to try to control which interface is used on the workstations, ie disable WLAN and only use LAN etc. Trying to disable interfaces isn't going to be feasible and its very inflexible.
    I believe I can ensure that the workstations use the NICs in our preferred order:
    1. LAN
    2. WLAN - Our wireless network isn't as fast as the LAN.
    By setting specific DHCP metric for the WLAN Router to be higher(ie 2) than the LAN(1). When the LAN isn't connected traffic will route via the WLAN adapter and when the LAN adapter is connected, its router metric will be lower and it will be the preferred
    gateway/route.
    But how do I solve the DNS resolution for connection to that asset?
    If I disable DHCP Server updates into DNS and allow secure updates from the client. It would be really good if DNS client behaved in the following manner
    1. The LAN adapter(referred to as primary ie LAN) with the lowest metric(ie 1) registers/auto updates DNS with the ip(both A and PTR). Any other Adapters don't register. - ie the WLAN
    2. The Laptop is undocked and the LAN adapter goes offline, the DNS Client then triggers a registration/auto updates its existing DNS entry with the ip from the next adapter(WLAN) with the next lowest gateway metric(2)...hence replacing the first ip registered.
    3. The laptop is docked again, and DNS Client triggers a registration/auto updates its existing DNS entry with the IP from the primary adapter(LAN), replacing the WLAN ip.
    So there is only ever 1 ipaddress registered for a workstation and it will always be a valid address. Then I don't need to be concerned about whether the user has the wireless turned on and docked.
    Being able to discover and communicate with all our workstations in our sites is crucial requirement....
    This microsoft article says, http://technet.microsoft.com/en-gb/library/cc771255.aspx
    Dynamic updates can be sent for any of the following reasons or events:
        * An IP address is added, removed, or modified in the TCP/IP properties configuration for any one of the installed network connections.
        * An IP address lease changes or renews with the DHCP server any one of the installed network connections. For example, when the computer is started or if the ipconfig /renew command is used.
        * The ipconfig /registerdns command is used to manually force a refresh of the client name registration in DNS.
        * At startup time, when the computer is turned on.
        * A member server is promoted to a domain controller.
    However from what I am reading, both adapters(LAN,WLAN), if configured to update DNS, will register their Ip addresses. Which leads to an invalid DNS entry if the laptop is undocked, as the IP for LAN adapter isn't removed.
    Has anyone solved this problem for their organizations without
    1. Controlling which adapter is used - large management overhead
    2. Only allowing one adapter to register with DNS
        - If using LAN adapter for DNS, then anytime the user is using WLAN, their workstation doesn't have a valid DNS entry. Which also impacts Kerberos.
        - If using the WLAN, then we would have to invest a large amount of money into Wireless to provide the necessary bandwidth
    3. Setting GPO's to configure dns updates every 30mins on clients
        - Inconsistent results...which I think is sometimes a worse problem
    4. Defining separate DNS suffixes for their WLAN networks (I read some people did this)
        - This doesn't remove an invalid DNS entry ie the ip(LAN adapter) DNS entry if the laptop is undocked
        - It also creates problems with kerberos, if the host is registered under a separate DNS suffix from the Active Directory domain name

    Hi,
    From my point of view, DNS can't be so smart.
    As a workaround, please try the steps below,
    Disable the DNS register of wireless adapter
    Put "ipconfig /regiserdns" in a bat file
    Everytime when the wired network is undocked, run the bat file.
    If the wired network is docked, wired adapter will register the DNS record.
    When the wired network is undocked, run the bat file, then the wireless adapter will register the DNS record.
    If the wired network is docked again, wired adapter will register the DNS record automatically.
    Best Regards.
    Steven Lee
    TechNet Community Support

Maybe you are looking for

  • My phone wont let me txt :(

    my phone wont let me txt anymore everytime i try and txt it comes back saying  requested facility not implemented

  • Problem with socket gateway

    I am trying to use the socket gateway to watch a port 1010 for all incoming data. When data comes in I want to log it. Well to get started I just used a simple example from the docs to see if I could get it to work. But when I try to start the gatewa

  • HP C5280 all-in-one printer will not print yellow

    I tried cartridge replacement.  Update driver, and clean head. Nothing works. I had this printer in a box for three years without using. Now It will not print yellow or green.

  • 2.6.28-4 Kernel?

    I've tried googling to see if there's already a topic for this, but when're we going to see this kernel in the [testing] repo?  The bastards in the ubuntu camp are already using it and it fixes (thanks to Linus himself) the suspend issues that have b

  • "Create quotation for order" is not allowed (ORD 80000119 )

    Hi, After creation of service order I want to create quotation then  system gives error massage as below, "Create quotation for order" is not allowed (ORD 80000119 ) Message no. BS002 Diagnosis The transaction 'Create quotation for order' is not allo