locked
Wireless Group Policy Problem - Half the policy applying RRS feed

  • Question

  • Hi

    I'm at a loss for where to investigate this one so I'm hoping for some suggestions.

    We have a single GPO to send out settings for wireless access to our network. On the wireless we have two SSIDs as below.

    1. Staff SSID

    My manager wanted to reduce the security issues with this as much as possible, so I've generated a GUID for the SSID name, set it not to broadcast the SSID and set the group policy to show the network as "<company name> Staff". It uses WPA2-Enterprise with RADUIS authentication to silently pass the authentication credentials of the currently logged on user providing SSO.

    2. Guests SSID

    This uses a preshared WPA2 key and provides guests with internet access and is blocked from the local LAN.

    The GPO is applied in such a way that company laptops are have the Staff SSID displayed in the available connection list, they're allowed to connect to it (as long as they're in the appropriate AD group for RADIUS authentication) but they are blocked from connecting their laptops to the Guests SSID. The important thing is that this single GPO controls both settings.

    On a few laptops we have been noticing that the blocking of the Guests SSID is working fine, but the Staff SSID is failing to show. Its as if only half the policy is applying. This is happening to only a small number of laptops which reside in the same AD OUs and it doesn't matter who logs on, the same problem occurs. The laptop is able to view all other wireless networks in the vicinity.

    I have logged in to one as myself (with Domain Admin permissions) and I get this problem, but on other laptops, the policy applies completely allowing me to connect to the Staff SSID while blocking the Guests SSID, as it should.

    I've run a RSOP against the laptop which shows that the policy is applying (confirmed by the fact that the Guests SSID is blocked) and the only problem I can find in the event logs are for the EapHost service with event ID of 2002. I've followed the advice in a few forum posts below but have been unsucccessful (not even sure if it's related to the GPO issue).

    http://www.eventid.net/display-eventid-2002-source-Microsoft-Windows-EapHost-eventno-10874-phase-1.htm

    http://www.sevenforums.com/network-sharing/336450-event-id-2002-source-eaphost-eap-method-dll-path-name-failed.html

    Any suggestion would be greatly appreciated.

    • Moved by Frank Shen5 Wednesday, September 24, 2014 7:49 AM
    Monday, September 22, 2014 11:26 AM

All replies

  • I've managed to do some testing and found that this only occurs on laptops that have been imaged using our MDT solution. It's also only occurring when I select the option to restore user data. I can re-image a laptop using the exact same image and task sequence without restoring user data and the GPO applies fine.

    The problem seems to centre around restoring user data.

    Tuesday, September 23, 2014 1:27 PM
  • Hi Daverino,

    Since RSOP shows that the policy has been applied, it should not be a grouppolicy issue.

    According yourdescription, it seems that the system of the laptop has been changedby the user data.

    Could you please post the original information about event 2002? It is useful for further troubleshooting.

    Best Regards.



    Steven Lee

    TechNet Community Support

    Wednesday, September 24, 2014 10:02 AM