First logon delay

0

Sign in to vote

NAP doesn't solve this run/logon problem you're facing.

Sunday, April 13, 2008 3:36 AM

0

Sign in to vote

Hi Howard,

about 60 second delay for first run is by design for NAP (802.1X) controlled PC with IP leased via DHCP ?

Or recomended scenario is static configuration TCPIP for this PC ?

Or other ? recomendation ?

Thanks,

L.

Sunday, April 13, 2008 5:52 AM

0

Sign in to vote

NAP along shouldn't have caused 60 seconds of delay for your first run. In my previous post, I meant to say that NAP shouldn't have caused and thus doesn't solve this run/logon problem you're facing. I'm curious what diagnosis you have done to determine that it was NAP that caused the problem, but not wireless connection or the DHCP server? What erros does the event log report?

Sunday, April 13, 2008 7:57 AM

0

Sign in to vote

Event log:

1) Intel(R) 82566DM-2 Gigabit Network Connection Link has been established: 100Mbps full duplex.

2) Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 001AA0D617D2. The following error occurred:

The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Port for NIC is not open, switch is configured for 802.1X !! Now is starting napagent:

3)

The NAP service has started.

NAP has the following information for this computer:

Computer name is pcuvt10.

Domain status is: Not Domain Joined.

The OS SKU is: CLIENT.

The service pack version is: 3.0.

The processor type is: 0.

4)

The enforcement client 79871 successfully initialized.

5)

The Network Access Protection Agent was unable to determine which HRAs to request a health certificate from.

A network change or if GP is configured, a configuration change will prompt further attempts to acquire a health certificate. Otherwise no further attempts will be made.

Contact the HRA administrator for more information.

6)

The System Health Agent 79744 successfully initialized.

7)

The enforcement client 79623 successfully initialized.

8)

Your computer has automatically configured the IP address for the Network Card with network address 001AA0D617D2. The IP address being used is 169.254.46.187.

L.

Sunday, April 13, 2008 3:37 PM

0

Sign in to vote

Hi,

This is the same problem as in your other post at http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3143925&SiteID=17. It looks like your DHCP server is not responding when the client first starts up.

What is the DHCP server configuration?

-Greg

Monday, April 14, 2008 11:12 PM

0

Sign in to vote

Hi,

this is not the exactly same problem. This is domain PC and domain user, correctly authenticated. Delay is the same problem, before is PC not athenticate via NAP, CISCO port is closed and DHCP server is client not possible contact. This delay is by design for NAP ?

Thanks,

Ladislav

Tuesday, April 15, 2008 3:59 AM

0

Sign in to vote

Hi,

No this is not by design for NAP. If you are getting a 169.x.x.x address, then this is related to DHCP.

I think the problem is with the location of your DHCP server, but I am not sure. Please try using a static IP address to troubleshoot. If the delay is gone with a static IP address, this probably means the delay is caused by not correctly negotiating DHCP when the computer is noncompliant. You will need to make sure that the IP helper is configured correctly and working when your computer is either compliant or noncompliant.

First try using a static IP address and see what happens. Then, use DHCP again. Make the computer noncompliant and turn off automatic remediation. See if it can get a valid IP address from the switch. Now make the computer compliant and see if it again gets a valid IP address. It should obtain a new IP address lease each time it moves to a new VLAN.

-Greg

Tuesday, April 15, 2008 7:40 AM

0

Sign in to vote

Hi,

I dont understand you or I all setup incorectly.

On cisco port (where is connected PC) is cofigured for authenticate via 802.1X. TCP/IP on this port started after PC correctly authenticated via NAP (then open this port to defined VLAN). After this PC contacted DHCP not before !

I try set static IP, but delay the same.

Log:

Level Date and Time Source Event ID Task Category
Information 15.4.2008 10:47:11 Service Control Manager 7036 None The Windows Installer service entered the stopped state.
Information 15.4.2008 10:47:09 Service Control Manager 7036 None The Protected Storage service entered the running state.
Information 15.4.2008 10:39:55 Service Control Manager 7036 None The Windows Modules Installer service entered the running state.
Information 15.4.2008 10:39:55 Microsoft-Windows-DistributedCOM 10029 None "DCOM started the service TrustedInstaller with arguments """" in order to run the server:
{752073A1-23F2-4396-85F0-8FDB879ED0ED}"
Information 15.4.2008 10:39:20 Microsoft-Windows-GroupPolicy 1500 None The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy.
Warning 15.4.2008 10:39:20 Microsoft-Windows-GroupPolicy 1091 None Windows could not record the Resultant Set of Policy (RSoP) information for the Group Policy extension <Security>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.
Information 15.4.2008 10:39:19 Microsoft-Windows-GroupPolicy 1503 None The Group Policy settings for the user were processed successfully. New settings from 5 Group Policy objects were detected and applied.
Warning 15.4.2008 10:39:17 bowser 8005 None The browser has received a server announcement indicating that the computer PCUVT8 is a master browser, but this computer is not a master browser.
Error 15.4.2008 10:39:17 bowser 8003 None The master browser has received a server announcement from the computer HOMER that believes that it is the master browser for the domain on transport NetBT_Tcpip_{88218105-E840-45E3-AB6D-D123B53D8931. The master browser is stopping or an election is being forced.
Information 15.4.2008 10:39:07 Service Control Manager 7036 None The Windows Update service entered the running state.
Information 15.4.2008 10:39:01 Microsoft-Windows-TBS 537 None A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer. TBS could not be started.
Information 15.4.2008 10:39:01 Service Control Manager 7036 None The Security Center service entered the running state.
Information 15.4.2008 10:39:01 Service Control Manager 7036 None The TPM Base Services service entered the stopped state.
Information 15.4.2008 10:39:01 Service Control Manager 7036 None The KtmRm for Distributed Transaction Coordinator service entered the running state.
Information 15.4.2008 10:39:01 Service Control Manager 7036 None The Background Intelligent Transfer Service service entered the running state.
Information 15.4.2008 10:38:28 DnsApi 11160 None "The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

   Adapter Name : {88218105-E840-45E3-AB6D-D123B53D8931}
   Host Name : PCUVT8
   Adapter-specific Domain Suffix : faf.cuni.cz
   DNS server list :
     172.18.100.1
   Sent update to server : 172.18.100.1:53
   IP Address : 172.18.50.70

The reason that the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.

You can manually retry DNS registration of the network adapter and its settings by typing ""ipconfig /registerdns"" at the command prompt. If problems still persist, contact your DNS server or network systems administrator."
Information 15.4.2008 10:38:24 DnsApi 11160 None "The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

   Adapter Name : {88218105-E840-45E3-AB6D-D123B53D8931}
   Host Name : PCUVT8
   Adapter-specific Domain Suffix : faf.cuni.cz
   DNS server list :
     172.18.100.1
   Sent update to server : 172.18.100.1:53
   IP Address : 172.18.50.70

The reason that the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.

You can manually retry DNS registration of the network adapter and its settings by typing ""ipconfig /registerdns"" at the command prompt. If problems still persist, contact your DNS server or network systems administrator."
Information 15.4.2008 10:38:21 Microsoft-Windows-Time-Service 37 None The time provider NtpClient is currently receiving valid time data from TWEETY.faf.cuni.cz (ntp.d|0.0.0.0:123->172.18.100.14:123).
Information 15.4.2008 10:38:16 DnsApi 11160 None "The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

   Adapter Name : {88218105-E840-45E3-AB6D-D123B53D8931}
   Host Name : PCUVT8
   Adapter-specific Domain Suffix : faf.cuni.cz
   DNS server list :
     172.18.100.1
   Sent update to server : 172.18.100.1:53
   IP Address : 172.18.50.70

The reason that the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.

You can manually retry DNS registration of the network adapter and its settings by typing ""ipconfig /registerdns"" at the command prompt. If problems still persist, contact your DNS server or network systems administrator."
Information 15.4.2008 10:38:12 DnsApi 11160 None "The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

   Adapter Name : {88218105-E840-45E3-AB6D-D123B53D8931}
   Host Name : PCUVT8
   Adapter-specific Domain Suffix : faf.cuni.cz
   DNS server list :
     172.18.100.1
   Sent update to server : 172.18.100.1:53
   IP Address : 172.18.50.70

The reason that the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.

You can manually retry DNS registration of the network adapter and its settings by typing ""ipconfig /registerdns"" at the command prompt. If problems still persist, contact your DNS server or network systems administrator."
Information 15.4.2008 10:38:11 Microsoft-Windows-Time-Service 35 None The time service is now synchronizing the system time with the time source TWEETY.faf.cuni.cz (ntp.d|0.0.0.0:123->172.18.100.14:123).
Information 15.4.2008 10:38:11 Microsoft-Windows-Time-Service 37 None The time provider NtpClient is currently receiving valid time data from TWEETY.faf.cuni.cz (ntp.d|0.0.0.0:123->172.18.100.14:123).
Information 15.4.2008 10:38:09 Microsoft-Windows-User-PnP 20003 None Driver Management has concluded the process to add Service tunmp for Device Instance ID ROOT\*TUNMP\0000 with the following status: 0.
Information 15.4.2008 10:38:08 Service Control Manager 7036 None The Remote Access Connection Manager service entered the running state.
Information 15.4.2008 10:38:08 Service Control Manager 7036 None The Telephony service entered the running state.
Information 15.4.2008 10:38:08 Service Control Manager 7036 None The Secure Socket Tunneling Protocol Service service entered the running state.
Information 15.4.2008 10:37:58 Service Control Manager 7036 None The Application Information service entered the running state.
Information 15.4.2008 10:37:52 Service Control Manager 7036 None The Network Connections service entered the running state.
Information 15.4.2008 10:37:52 Microsoft-Windows-DistributedCOM 10029 None "DCOM started the service netman with arguments """" in order to run the server:
{BA126AD1-2166-11D1-B1D0-00805FC1270E}"
Error 15.4.2008 10:37:50 Microsoft-Windows-GroupPolicy 1129 None The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
Error 15.4.2008 10:37:49 Microsoft-Windows-TerminalServices-RemoteConnectionManager 1067 None "The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
."
Warning 15.4.2008 10:37:46 LsaSrv 40960 (3) "The Security System detected an authentication error for the server cifs/psrv01.faf.cuni.cz. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request.
(0xc000005e)""."
Error 15.4.2008 10:37:23 Microsoft-Windows-GroupPolicy 1129 None The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
Warning 15.4.2008 10:37:12 Microsoft-Windows-Time-Service 129 None NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Windows Installer service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Windows Search service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Certificate Propagation service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Terminal Services Configuration service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Terminal Services UserMode Port Redirector service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The SL UI Notification Service service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Diagnostic System Host service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The AVG8 E-mail Scanner service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The AVG8 WatchDog service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Network List Service service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The IP Helper service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The UPnP Device Host service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Windows Image Acquisition (WIA) service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The SMS Agent Host service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Network Location Awareness service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Windows Search service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Windows Time service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Windows Management Instrumentation service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Network Access Protection Agent service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Terminal Services service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The SSDP Discovery service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Portable Device Enumerator Service service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The IPsec Policy Agent service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Windows Error Reporting Service service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Distributed Link Tracking Client service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Superfetch service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Secondary Logon service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Program Compatibility Assistant Service service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The NMSAccessU service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Diagnostic Policy Service service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Cryptographic Services service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Function Discovery Resource Publication service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The IKE and AuthIP IPsec Keying Modules service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The ReadyBoost service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Application Experience service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Netlogon service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Computer Browser service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Workstation service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Server service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Windows Firewall service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The WebClient service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Base Filtering Engine service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Print Spooler service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Task Scheduler service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Shell Hardware Detection service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Wired AutoConfig service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Extensible Authentication Protocol service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The DNS Client service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The DHCP Client service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Network Store Interface Service service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The TCP/IP NetBIOS Helper service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The CNG Key Isolation service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Windows Driver Foundation - User-mode Driver Framework service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Tablet PC Input Service service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Security Accounts Manager service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Desktop Window Manager Session Manager service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The System Event Notification Service service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The User Profile Service service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Themes service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Group Policy Client service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The COM+ Event System service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Offline Files service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Software Licensing service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Windows Audio service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Windows Audio Endpoint Builder service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Multimedia Class Scheduler service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Windows Event Log service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Ati External Event Utility service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Windows Defender service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Remote Procedure Call (RPC) service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The DCOM Server Process Launcher service entered the running state.
Information 15.4.2008 10:37:11 Service Control Manager 7036 None The Plug and Play service entered the running state.
Information 15.4.2008 10:37:10 Microsoft-Windows-DistributedCOM 10029 None "DCOM started the service MSIServer with arguments """" in order to run the server:
{000C101C-0000-0000-C000-000000000046}"
Warning 15.4.2008 10:37:10 Microsoft-Windows-Time-Service 129 None NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
Error 15.4.2008 10:37:10 NETLOGON 5719 None "This computer was not able to set up a secure session with a domain controller in domain FAFUKHK due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain."
Warning 15.4.2008 10:37:05 DnsApi 11164 None "The system failed to register host (A or AAAA) resource records for network adapter
with settings:

   Adapter Name : {88218105-E840-45E3-AB6D-D123B53D8931}
   Host Name : PCUVT8
   Primary Domain Suffix : faf.cuni.cz
   DNS server list :
     172.18.100.1
   Sent update to server : <?>
   IP Address(es) :
     172.18.50.70

Either the DNS server does not support the DNS dynamic update protocol or the authoritative zone for the specified DNS domain name does not accept dynamic updates.

To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator."
Information 15.4.2008 10:36:56 Microsoft-Windows-Time-Service 143 None The time service has started advertising as a good time source.
Information 15.4.2008 10:36:56 Microsoft-Windows-Time-Service 139 None The time service has started advertising as a time source.
Information 15.4.2008 10:36:44 Microsoft-Windows-FilterManager 6 None File System Filter 'luafv' (6.0, 19.1.2008 7:30:35) has successfully loaded and registered with Filter Manager.
Error 15.4.2008 10:36:43 atikmdag 45062 CRT CRT invalid display type
Information 15.4.2008 10:36:38 Tcpip 4201 None The system detected that network adapter Local Area Connection was connected to the network, and has initiated normal operation.
Information 15.4.2008 10:36:38 Microsoft-Windows-FilterManager 6 None File System Filter 'AvgMfx86' (6.0, 10.1.2008 19:05:15) has successfully loaded and registered with Filter Manager.
Information 15.4.2008 10:36:37 Microsoft-Windows-Kernel-Processor-Power 4 None "Processor 1 exposes the following:

2 idle state(s)
2 performance state(s)
8 throttle state(s)"
Information 15.4.2008 10:36:37 Microsoft-Windows-Kernel-Processor-Power 4 None "Processor 0 exposes the following:

2 idle state(s)
2 performance state(s)
8 throttle state(s)"
Information 15.4.2008 10:36:36 b57nd60x 9 None Broadcom NetXtreme Gigabit Ethernet: Network controller configured for 100Mb full-duplex link.
Information 15.4.2008 10:36:36 b57nd60x 15 None Broadcom NetXtreme Gigabit Ethernet: Driver initialized successfully.
Information 15.4.2008 10:36:33 Tcpip 4201 None The system detected that network adapter Loopback Pseudo-Interface 1 was connected to the network, and has initiated normal operation.
Information 15.4.2008 10:36:33 Tcpip 4201 None The system detected that network adapter Loopback Pseudo-Interface 1 was connected to the network, and has initiated normal operation.
Information 15.4.2008 10:36:33 Microsoft-Windows-FilterManager 6 None File System Filter 'FileInfo' (6.0, 19.1.2008 7:34:27) has successfully loaded and registered with Filter Manager.
Information 15.4.2008 10:36:44 EventLog 6013 None The system uptime is 12 seconds.
Information 15.4.2008 10:36:44 EventLog 6005 None The Event log service was started.
Information 15.4.2008 10:36:44 EventLog 6009 None Microsoft (R) Windows (R) 6.00. 6001 Service Pack 1 Multiprocessor Free.

Thanks,

L.

Tuesday, April 15, 2008 8:55 AM

0

Sign in to vote

Hey L. Thanks for your patience with us on this one.

If you set a static IP, and the delay problem still happens – what about if you open the switch port to not do 802.1X? Is everything fine then?

This really sounds like a race condition to me. Group Policy and/or something in the Security subsystem is racing actual connectivity to your AD/DC before it is actually ready. In the past, when NAP was being deployed by early adopters (Longhorn Beta 2/3) – we saw this hit in several companies because of some strange timing issues on various 802.1X switches. In one instance, the 802.1X implementation on the switch was sending a “success” to the client that the port/VLAN was ready to go, when in actual fact it needed several more seconds to prepare the port. This would cause a ton of problems in Windows, mostly because of timeouts in the logon / scripts / Group Policy area. A fix was applied from the switch vendor, as well as adjusting some timers within the switch configuration – this solved it. Your issue really seems to fit into this…

{Jeff Sigman}{Senior Program Manager & NAP Hero}{Enterprise Security Group}

{NAP Blog, FAQ, Forum, MSDN, Site and my bloÿg}

Saturday, April 26, 2008 10:32 PM

0

Sign in to vote

Hi Jeff,

i try this tommorow, I think delay problem still happens and in configuration cisco switch. Port with 802.1X auth. is close before successfull athentication.

Solution for this is maybe:

dot1x guest-vlan xx

xx - VLAN when is AD/GPO, DHCP, DNS

I try this tomorrow.

Thanks,

L.

Sunday, April 27, 2008 4:28 AM

0

Sign in to vote

Hi Greg and Jeff,

guest VLAN is solution for this problem.

My config now:

interface FastEthernet0/47

switchport access vlan 33

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 5

dot1x timeout reauth-period 180

dot1x timeout tx-period 10

dot1x guest-vlan 33

spanning-tree portfast

VLAN 33 is non-compliant VLAN.

All working fine (NAP, WoL, PXE installatin via this port).

Many thanks for your help,

L.

Tuesday, April 29, 2008 7:16 AM

0

Sign in to vote

I love it when it works! :->

{Jeff Sigman}{Senior Program Manager & NAP Hero}{Enterprise Security Group}

{NAP Blog, FAQ, Forum, MSDN, Site and my bloÿg}

Tuesday, April 29, 2008 6:01 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

First logon delay

Question

Answers

All replies