Re: Remote Desktop to a machine that is 802.1x authenticated (wire
- From: Ganesh Jaju <GaneshJaju@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 23 May 2007 22:53:02 -0700
Hi,
Please see inline.
"S. Pidgorny <MVP>" wrote:
Hi Ganesh,
IEEE 802.1x standards don't prescribe the supplicant behaviour with regards
to computer/user authentication.
The question is - why remote desktop connections don't work? I think that is
because of the re-authentication: user logon (through remote desktop) will
trigger re-authentication by the supplicant, which will temporarily
disconnect the computer from the network. That will break the remote desktop
connection.
This is true and the reason it happens is because remote desktop initiates
machine authentication and due to user mismatch earlier user gets logged out
breaking remote desktop connection. Had it been the case that user
authentication is initiated and remote desktop user being the same as logged
in user, we should not face this issue.
To verify, we need to test with AuthMode set to 2 (or 0 - refer to the same
FAQ). I'll try to do that tomorrow.
0 Disable IEEE 802.1X authentication operation.
1 Prevent transmission of EAPOL start and EAPOL log off packets under all
scenarios.
2 Include learning to determine when to initiate the transmission of EAPOL
packets. A Windows XP Service Pack 2 (SP2)-based computer will only send an
EAPOL start frame if the computer receives an EAP request identity frame and
if no internal process is currently ongoing.
3 Compliant with IEEE 802.1X authentication specification.
Only value of 3 is compliant with IEEE standards.
.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
"Ganesh Jaju" <GaneshJaju@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6FC93AC0-2B92-4CF6-BB4F-316BAA60BFEC@xxxxxxxxxxxxxxxx
I am interested in IEEE 802.1x standard based behavior for this case.
User authentication is something which I don't want to compromise with.
I would prefer having both types of authentication (computer/user).
To my knowledge, when we boot windows machine, first machine
authentication
happens and then user authentication.
Can't we have similar behavior for remote desktop as well?
If it is a known issue, I am ok with it. Just that I found the issue to
be
known on Microsoft's site for wireless case, I wanted to confirm if the
same
is true for wired case.
I would appreciate if I get to know more details on the problem, if any.
"S. Pidgorny <MVP>" wrote:
What if you disable re-authentication with user credentials and use
machine-only authentication?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
"Ganesh Jaju" <Ganesh Jaju@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
http://www.microsoft.com/technet/network/wifi/wififaq.mspx
In Microsoft's words:-
Q. Do Remote Desktop connections work to Windows wireless clients that
use
802.1X authentication?
A. Not at this time. All 802.1X-based wireless connections are
affected,
including those using EAP-TLS or PEAP-MS-CHAP v2. Connections using a
static
WEP key or WPA-PSK are not affected. Microsoft has addressed this issue
in
Windows Vista and Windows Server "Longhorn."
So is the issue valid for wired networks as well (I feel wired/wireless
should not be an issue as supplicant behavior would be the same)?
- References:
- Re: Remote Desktop to a machine that is 802.1x authenticated (wire
- From: Ganesh Jaju
- Re: Remote Desktop to a machine that is 802.1x authenticated (wire
- Prev by Date: Re: Duplicate Administrator accounts
- Next by Date: Re: Duplicate Administrator accounts
- Previous by thread: Re: Remote Desktop to a machine that is 802.1x authenticated (wire
- Next by thread: Re: ibm.com stays online, even when locked-out
- Index(es):
Relevant Pages
|
