Wireless, NPS, SSO (before logon) = Group policy not applying?

[NickTheSloth]

I'm running out of ideas on this... we're trying to setup WPA-Enterprise with our Ubiquiti wireless, and to a point it is working great. Logon to a laptop with your domain credentials and you can connect to the SSID without needing to enter any additional credentials etc. This also works automatically if the profile is pushed through group policy.

What I'm having problems with though is SSO. I need to get it setup so that as the user logs onto the laptop, it connects to the wifi, allowing the user group policies to all apply as they would normally (if connected by cable, or wireless using a PSK). I've set the wireless profile to do this, and it does appear to connect like it should - a new user that has never logged onto a given laptop is then able to login, so it clearly is talking to the rest of the network.

But, 9 times out of 10, group policies fail to apply with event ID 1058, error 53 - 'The network path was not found'. It states the domain controller too, though they have all appeared so it doesn't seem to be related to any one DC. If you go to the path in the error log, you can get to it as expected.

I've tried giving the wireless adapter a static IP, I've tried different laptops, various other things - all to no avail. It seems the wireless is the problem, but I can't see how it is when it appears to connect and authenticate the Windows logon (new users, disabling a test user etc).

Any ideas?

 

[stormy1]

yep dns, set it to route all network traffic through the vpn or add the AD server to the hosts file.

 

[stormy1]

https://technet.microsoft.com/en-us/library/cc727259(v=ws.10).aspx

 

[NickTheSloth]

VPN? I'm not using a VPN in this scenario at all.

I know what the error code means, what I can't figure out is why it is happening.

I'll add - once logged in and at the desktop, network connectivity is up and working - including accessing the policy file the event error complaints about.

 

[stormy1]

Sorry, I read your post wrong.

 

[-Dragon-]

Is your WPA-E authentication on the user or machine level? If you do user authentication then the machine can't connect to wifi until after an authorized user logs on. You have to set the wifi up to authorize the computer.

 

[dbwillis]

Yeh, computer needs to connect first, we have corp wifi here and it goes by user cert, we are changing some areas to use a machine cert to connect wifi, then the network is already connected when the user logs in

 

[NickTheSloth]

We're set to use user authentication - but the group policy settings for SSO are set to 'Before logon' - which so far as I can tell is to get around this? The other option is 'after logon' - which is obviously no good. I know startup policies won't work in this scenario (unless the machine is physically plugged into the network at startup), but I'm not too worried about that at the moment.

It certainly seems to do something - when you logon there is a message stating 'Windows will attempt to connect to *SSID*'. Enter credentials and it duly connects, and logon continues.

This must work in some way, because if you attempt to logon with an account that has never logged into the machine before, it works and logs you on. It's just the GP processing that then doesn't happen.

 

[-Dragon-]

Machine authentication using a cert fixes pretty much all problems with WPA-E that you're describing. I always used machine auth for domain joined PCs and user auth for other things such as smart phones, so there's not some global wifi password, each person has to use their own username and logon. Machine auth is super easy to setup via GPO, you just have to do the initial connection either via wired, WPA-PSK, or user auth. Still the more secure WPA-E, still authenticates via the domain, just through computer account instead of user account, but it can do all the pre-login policy and other things it needs network for. (Edit: actually you can't use user auth to domain join the computer that has to be done via wired or PSK, unless you have a publicly trusted key on your NPS server)

Assuming you're using NPS it's trivial to set up RADIUS to do both machine and user auth.

 

[NickTheSloth]

Thanks. We'll give machine auth a go after our bank holiday and see how that goes. Seems like it could be the better way to go - as you say, allowing both computer and user auth for other non-domain devices.

We have two domains in separate forests also, so I believe we need an NPS proxy in the second domain for machine authentication to work for those computers, but I haven't tried anything yet.