Windows Server TechCenter >
Windows Server Forums
>
Directory Services
>
Credential Roaming with Windows 7 wireless
Credential Roaming with Windows 7 wireless
- All,
We have a wireless network that uses PEAP-TLS authentication and our PKI infrastructure to authenticate computers and users onto the network. Our Cisco 1252 APs are set up with an SSID that uses RADIUS for authentication, back to the IAS server running on one of our domain controllers. Our PKI policies enable auto-enrolment for user (client authentication) certificates, and we use credential roaming. Group policy adds a profile for our wireless LAN to client machines.
On a newly-installed XP machine, things work fine. The machine authenticates onto the wireless at boot using its computer certificate. A user logs on for the first time and the machine remains connected using its computer certificate whilst it roams the client authentication certificate onto the machine, then it reauthenticates with the user certificate.
On a newly-installed Windows 7 machine, things are less good. The machine again authenticates onto the wireless at boot using its computer certificate. When you log on for the first time, whilst the machine is 'Preparing your desktop', the machine disappears from the wireless. After logon, you get a balloon stating that a certificate is required to connect to the network and you should contact an administrator.
Does anyone know what options I need to change in either the PKI policy or the wireless policy to make this work the way I'm expecting it to, or is this just not supported?
Thanks in advance for any tips.
Answers
- Hi,
After consulting authority, Windows 7 doesn’t support Credentials Roaming with 802.1x EAP-TLS. And Credentials Roaming is not supported on any version of Windows OS with regards to 802.1x as it was never even considered. It's a coincidence that Windows XP works fine. Future version of Windows may take it into consideration.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byMervyn ZhangMSFT, ModeratorFriday, November 13, 2009 9:33 AM
All Replies
- Hi,
Is there any error in the Event Log on Windows 7 or DC? If any, please let us know the detailed error message.
Could Credential Roaming work fine on Windows 7 in wired network?
Please also help to collect the MPS of Windows 7:
1) Download proper MPS Report tool from the website below.
Microsoft Product Support Reports
http://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en
2) Double-click to run it, if requirement is not met, please follow the wizard to download and install them. After that, click Next, when the "Select the diagnostics you want to run" page appears, select "General", "Internet and Networking", click Next.
3) After collecting all log files, choose "Save the results", choose a folder to save <Computername>MPSReports.cab file. Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give us the download address.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights. - Thanks Mervyn. Yes, credential roaming works fine on the wired network; the problem seems to be that Windows 7 attempts to reauthenticate onto the wireless using user credentials instead of machine credentials before the necessary certificate has been roamed onto the machine, so isn't able to authenticate. I'll run the MPS tool on a machine later today.
- Hi,
Thank you for update. Please let us know how you configured the detailed Wireless Group Policy settings on Server and Windows 7 client.
Try to run "netsh ras dump >>c:\ras.txt" and upload c:\ras.txt file to Sky Drive for research.
If the user log on once, does the problem occur again?
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights. - Hi Mervyn,
The files you've requested are all at http://cid-18e34b9b431dd9af.skydrive.live.com/browse.aspx/.Public - there's a netsh dump of the RAS settings, an MPS report and an HTML export of the group policy.
I can confirm that if the user logs in over a wired connection (not using 802.1x), their certificates are roamed correctly, and they're then able to disconnect the cable and use wireless. This is the workaround we're using at the moment.
Thanks,
Sean - Hi Sean,
From the GP report, we can find you configure only one policy:
Policy Name Windows Client Wireless
Policy Description
Policy Type Windows XP
You should configure another policy for Windows Vista and later system which Policy Type is "Windows Vista and Later Releases".
If you don’t have a Windows 2008 R2 system, try to install RSAT for Windows 7 and configure new wireless policy for Windows 7 systems:
Remote Server Administration Tools for Windows 7
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights. - Mervyn,
I'm under the impression that shouldn't be necessary - if no Vista-on policy is found, Windows 7 should fall back to using the XP policy. In fact, I previously had a Windows Vista policy set up in the same way, and that didn't help; the behaviour was the same.
Sean - Hi Sean,
Windows XP wireless is not compatible with Windows Vista and later system. Please create a new policy for Windows 7 and upload the GPMC report again for research.
There is a similar case of Windows XP, please try the workaround if necessary.
You cannot intermittently download roaming profiles on a Windows XP-based wireless computer
http://support.microsoft.com/kb/938117
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights. - Mervyn,
I'm sorry, but I don't think that's correct. According to TechNet, if both policy types are present, then XP uses the XP policy and Vista uses the Vista policy. If only the XP policy is present, Vista will use it instead. I did previously have a Vista policy with the same settings and the same problem, so I don't really want to create it again when it won't solve anything.
The case you've pointed me to regarding Windows XP is to do with roaming profiles, which we're not using, so I can't use the workaround of reducing the size of the profile. I also don't want to switch to computer-only authentication, as it reduces security.
Sean
Sorry for my mistake, yes, "If there are no Windows Vista policy settings, Windows Vista wireless clients will use the Windows XP settings. This article describes the settings that can be configured with the Windows Vista wireless policy".
Wireless Group Policy Settings for Windows Vista
http://207.46.16.252/en-us/magazine/2007.04.cableguy.aspx
What’ about increase the "Max Authentication Failures"? And other Advanced settings such as "Max Eapol-Start Msgs", "Held Period", "Start Period", "Auth Period".
Or enable SSO? Single sign-on (SSO) allows you to configure when 802.1X authentication occurs relative to the user logon and to integrate user logon and 802.1X authentication credentials on the Windows logon server. In the SSO section, there are settings to perform wireless authentication immediately before or after the user logon process and to specify the number of seconds of delay for connectivity before the process begins.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.Mervyn,
I don't think playing with the EAPOL settings will help here - the machine doesn't have the user's certificate on it, so no matter how many times it retries authentication, it's never going to connect.
I tried enabling SSO, setting it to authenticate after logon with a delay of 120 seconds. This made no difference. A netsh wlan show of the profile is below:Profile Metaswitch Corporate Wireless on interface Wireless Network Connection
=======================================================================
Applied: Group Policy Profile
Profile information
-------------------
Version : 1
Type : Wireless LAN
Name : Metaswitch Corporate Wireless
Control options :
Connection mode : Connect automatically
Network broadcast : Connect only if this network is broadcasting
AutoSwitch : Switch to more preferred network if possibleConnectivity settings
---------------------
Number of SSIDs : 1
SSID name : "Metaswitch-Corp-Wifi"
Network type : Infrastructure
Radio type : [ Any Radio Type ]
Vendor extension : Not presentSecurity settings
-----------------
Authentication : WPA2-Enterprise
Cipher : CCMP
Security key : Absent
802.1X : Enabled
EAP type : Microsoft: Protected EAP (PEAP)
802.1X auth credential : Machine or user credential
Cache user information : Yes
Type : Post-logon
Max delay (sec) : 120
User auth VLAN : DisabledAny other ideas?
- Hi,
After consulting authority, Windows 7 doesn’t support Credentials Roaming with 802.1x EAP-TLS. And Credentials Roaming is not supported on any version of Windows OS with regards to 802.1x as it was never even considered. It's a coincidence that Windows XP works fine. Future version of Windows may take it into consideration.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byMervyn ZhangMSFT, ModeratorFriday, November 13, 2009 9:33 AM
- That seems something of an oversight! OK, thanks for your help anyway, much appreciated.
