802.1x dynamic VLAN - user logon script is broken while client VLAN is changed
- Hi there,
I have a problem about user logon script is broken while client VLAN is changed after user logged in. I am deploying 802.1x dynamic VLAN assignment with XP SP3. The logon script seems to be okay if the VLAN is not changed. I have seen the following topic and would like to confirm whether it means that it is not possible to solve this issue on XP (without 3rd party supplicant). Could anyone please clarify it for me?
802.1x with dynamic vlan switching - problem with roaming profiles by Daniel Luttermann
http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/f68dc3f0-744a-4d0f-b85a-87f8bc531fd0/
Thanks
/Nitass
Answers
Hi Nitass,
Sorry for the delay in answering.
The basic principal is that you run a script locally on the client computer that loops until it the client has a network connection. The script then starts the normal network logon script.
I believe the sequence of events is:
1. Computer boots up.
2. Computer GPO configures wired/wireless parameters and executes a "copy" script.
3. The "copy" script copies a second script "run logon" to the client computer that will be run during user logon.
4. User logs on, credentials are used for 802.1X authentication.
5. User GPO starts the local "run logon" script running on the client computer.
6. Local "run logon" script loops until it has access to the network share with the network "user logon" script.
7. Network "user logon" script is run.
-Greg- Marked As Answer byGreg LindsayMSFT, OwnerTuesday, July 07, 2009 4:11 AM
- Proposed As Answer byGreg LindsayMSFT, OwnerFriday, July 03, 2009 6:13 AM
- Hi Nitass,
1. I wish I could provide a full list of the available options, but I don't have enough experience in the area. I have read about configuring the GpNetworkStartPolicyTimeoutValue registry key as another possible solution. The setting is used to increase the amount of time to wait for Group Policy if a network connection is not available. This is configured under HKLM\SOFTWARE\Policies\Microsoft\Windows\System and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
I think it will require analysis of the sequence of events to determine if the registry key above will help. The settings in Computer Configuration\Administrative Templates\System\Logon also can affect this. I wish I could provide more prescriptive advice. Perhaps someone else has tried these options and can add to the thread.
2. Yes, this would be a script added to Computer Configuration\Windows Settings\Scripts\Startup
3. Yes, this would be a script added to User Configuration\Administrative Templates\System\Logon\Run these programs at user logon
I hope this helps,
-Greg
- Marked As Answer byGreg LindsayMSFT, OwnerTuesday, July 07, 2009 4:11 AM
- Greg,
Sorry for the long delay in reply. I opened case with Microsoft and they said that they do not suggest. They also gave me the following URL for reference.
http://support.microsoft.com/default.aspx/kb/935638
However, I think your recommendation would be useful. I will try when having a chance. Thank you very much again. :-)
Have a nice day,
Nitass- Marked As Answer bynitass Thursday, August 06, 2009 11:06 AM
All Replies
- Hi,
Is it possible for you to run the logon script locally on the client? This is a possible workaround to resolve problems with interruption of a remote logon script caused by interface cycling during VLAN changes.
-Greg - Greg,
Would you mind explaining me a bit more about how to workaround this issue? I am not sure whether it is acceptable for customer or not.
Thanks a lot
/Nitass Hi Nitass,
Sorry for the delay in answering.
The basic principal is that you run a script locally on the client computer that loops until it the client has a network connection. The script then starts the normal network logon script.
I believe the sequence of events is:
1. Computer boots up.
2. Computer GPO configures wired/wireless parameters and executes a "copy" script.
3. The "copy" script copies a second script "run logon" to the client computer that will be run during user logon.
4. User logs on, credentials are used for 802.1X authentication.
5. User GPO starts the local "run logon" script running on the client computer.
6. Local "run logon" script loops until it has access to the network share with the network "user logon" script.
7. Network "user logon" script is run.
-Greg- Marked As Answer byGreg LindsayMSFT, OwnerTuesday, July 07, 2009 4:11 AM
- Proposed As Answer byGreg LindsayMSFT, OwnerFriday, July 03, 2009 6:13 AM
Greg,
That is alright. I have a few further questions. Would you mind clarifying them for me?
1. Does it mean that it is not possible to solve the logon script is broken while client VLAN is changed on XP without 3rd party supplicant or run the script locally? I have to report to customer for asking permission to run the script locally. So, it is so important that I do not miss anything.
2. "Computer GPO configures wired/wireless parameters and executes a "copy" script." ---> Is this GPO computer startup script?
3. "User GPO starts the local "run logon" script running on the client computer." ---> Is this GPO user logon script?
I look forward to hearing from you.
Many thanks
/Nitass- Hi Nitass,
1. I wish I could provide a full list of the available options, but I don't have enough experience in the area. I have read about configuring the GpNetworkStartPolicyTimeoutValue registry key as another possible solution. The setting is used to increase the amount of time to wait for Group Policy if a network connection is not available. This is configured under HKLM\SOFTWARE\Policies\Microsoft\Windows\System and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
I think it will require analysis of the sequence of events to determine if the registry key above will help. The settings in Computer Configuration\Administrative Templates\System\Logon also can affect this. I wish I could provide more prescriptive advice. Perhaps someone else has tried these options and can add to the thread.
2. Yes, this would be a script added to Computer Configuration\Windows Settings\Scripts\Startup
3. Yes, this would be a script added to User Configuration\Administrative Templates\System\Logon\Run these programs at user logon
I hope this helps,
-Greg
- Marked As Answer byGreg LindsayMSFT, OwnerTuesday, July 07, 2009 4:11 AM
- Greg,
Thanks a lot for your help. :-)
I had already raised the GpNetworkStartPolicyTimeoutValue to 60 seconds and also enabled Always wait for network at computer startup and logon in GPO but it seemed not to help. So, I posted here and hope someone could advise me.
I will discuss with the customer about run the script locally. If you have any suggestion, please let me know. I am so appreciated to your help.
Many thanks
/Nitass - Greg and everybody,
Would you mind explaining me about GpNetworkStartPolicyTimeoutValue? How does it work? I have read MS KB but I could not catch it. For example, does this key affect either computer GPO or user GPO? or both?
Many thanks
/Nitass - Greg,
Sorry for the long delay in reply. I opened case with Microsoft and they said that they do not suggest. They also gave me the following URL for reference.
http://support.microsoft.com/default.aspx/kb/935638
However, I think your recommendation would be useful. I will try when having a chance. Thank you very much again. :-)
Have a nice day,
Nitass- Marked As Answer bynitass Thursday, August 06, 2009 11:06 AM
