locked
NAP x Mandatory Profile RRS feed

  • Question

  • Hi,
    users with mandatory profiles is not working with NAP.
    After I remove profile path in account definition -> this account working with NAP correctly on the same PC.

    OS=Windows Vista

    Is possible use Mandatory profiles ?

    Thanks,
    Ladislav
    Thursday, September 25, 2008 10:58 AM

Answers

  • add on info:
    I use this in 802.1X wired newtwork. When I change in LAN profile aut. mode from "MachineOrUser" to mode "Machine".
    NAP working fine.

    Windows Mandatory profile afected NAP functioning only with auth. mode MachineOrUser.

    Is this bug in NAP or NAP not working with mandatory profiles ?

    L.
    Monday, September 29, 2008 7:40 AM
  • What happens when the profile is set to 'MachineOrUser' is - when the machine boots up, it will authenticate using its machine identity, then will stay authenticated (and do reauthentications) indefinitely, using the same machien credential.

    What happens when the profile is set to 'MachineOrUser' is - when the machine boots up, it will authenticate using its machine identity, then when a user logs on, a new authentication is done using the User's credentials.


    From what you've described, this is an issue with the user profile, but I would probably need to know more about the settings - can you point out where they are configured in GP for me?  I'm not immediately familiar with the settings you are referring to...

    -Chris
    -Chris Chris.Edson@online.microsoft.com * SDET II, Network Access Protection Platform Team * Remove the "online" make the address valid. ** This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, September 29, 2008 5:19 PM

All replies

  • Are you referring to Wireless connection profiles?
    -Chris Chris.Edson@online.microsoft.com * SDET II, Network Access Protection Platform Team * Remove the "online" make the address valid. ** This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, September 26, 2008 1:21 AM
  • No. Problem is with user account mandatory profiles located on network drive and after login stored to: in C:\Users\account_name directory in Vista.


    L.
    Friday, September 26, 2008 5:54 AM
  • add on info:
    I use this in 802.1X wired newtwork. When I change in LAN profile aut. mode from "MachineOrUser" to mode "Machine".
    NAP working fine.

    Windows Mandatory profile afected NAP functioning only with auth. mode MachineOrUser.

    Is this bug in NAP or NAP not working with mandatory profiles ?

    L.
    Monday, September 29, 2008 7:40 AM
  • What happens when the profile is set to 'MachineOrUser' is - when the machine boots up, it will authenticate using its machine identity, then will stay authenticated (and do reauthentications) indefinitely, using the same machien credential.

    What happens when the profile is set to 'MachineOrUser' is - when the machine boots up, it will authenticate using its machine identity, then when a user logs on, a new authentication is done using the User's credentials.


    From what you've described, this is an issue with the user profile, but I would probably need to know more about the settings - can you point out where they are configured in GP for me?  I'm not immediately familiar with the settings you are referring to...

    -Chris
    -Chris Chris.Edson@online.microsoft.com * SDET II, Network Access Protection Platform Team * Remove the "online" make the address valid. ** This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, September 29, 2008 5:19 PM
  •  Ladislav,

    I think this issue is resolved by changing the authmode to Machine. There is apparently a setting in the mandatory user profile that isn't compatible with user authentication for 802.1X. If you can provide more information it will be helpful. I'm marking the thread as answered, but please reply if you have more information or further question.

    Thanks,
    -Greg
    Wednesday, October 8, 2008 5:58 PM
  • Ladislav,

    Are you using VLAN assignment or IP filters to segment your network?  I know in certain circumstances the network disconnect/reconnect aspect of VLAN assignment has caused issues, especially in high latency environments.  With IP filters, the connection is never dropped during a state transition, only access rights are changed on the port.

    -abc

    Friday, October 10, 2008 3:34 AM