GaneshJaju
Thu May 24 00:53:02 CDT 2007
Hi,
Please see inline.
"S. Pidgorny <MVP>" wrote:
> Hi Ganesh,
>
> IEEE 802.1x standards don't prescribe the supplicant behaviour with regards
> to computer/user authentication.
>
> The question is - why remote desktop connections don't work? I think that is
> because of the re-authentication: user logon (through remote desktop) will
> trigger re-authentication by the supplicant, which will temporarily
> disconnect the computer from the network. That will break the remote desktop
> connection.
This is true and the reason it happens is because remote desktop initiates
machine authentication and due to user mismatch earlier user gets logged out
breaking remote desktop connection. Had it been the case that user
authentication is initiated and remote desktop user being the same as logged
in user, we should not face this issue.
>
> To verify, we need to test with AuthMode set to 2 (or 0 - refer to the same
> FAQ). I'll try to do that tomorrow.
0 Disable IEEE 802.1X authentication operation.
1 Prevent transmission of EAPOL start and EAPOL log off packets under all
scenarios.
2 Include learning to determine when to initiate the transmission of EAPOL
packets. A Windows XP Service Pack 2 (SP2)-based computer will only send an
EAPOL start frame if the computer receives an EAP request identity frame and
if no internal process is currently ongoing.
3 Compliant with IEEE 802.1X authentication specification.
Only value of 3 is compliant with IEEE standards.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> *
http://sl.mvps.org *
http://msmvps.com/blogs/sp *
>
> "Ganesh Jaju" <GaneshJaju@discussions.microsoft.com> wrote in message
> news:6FC93AC0-2B92-4CF6-BB4F-316BAA60BFEC@microsoft.com...
> >
> > I am interested in IEEE 802.1x standard based behavior for this case.
> > User authentication is something which I don't want to compromise with.
> > I would prefer having both types of authentication (computer/user).
> >
> > To my knowledge, when we boot windows machine, first machine
> > authentication
> > happens and then user authentication.
> > Can't we have similar behavior for remote desktop as well?
> >
> > If it is a known issue, I am ok with it. Just that I found the issue to
> > be
> > known on Microsoft's site for wireless case, I wanted to confirm if the
> > same
> > is true for wired case.
> >
> > I would appreciate if I get to know more details on the problem, if any.
> >
> >
> >
> >
> > "S. Pidgorny <MVP>" wrote:
> >
> >> What if you disable re-authentication with user credentials and use
> >> machine-only authentication?
> >>
> >> --
> >> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> >> -= F1 is the key =-
> >>
> >> *
http://sl.mvps.org *
http://msmvps.com/blogs/sp *
> >>
> >> "Ganesh Jaju" <Ganesh Jaju@discussions.microsoft.com> wrote in message
>
> >> >
http://www.microsoft.com/technet/network/wifi/wififaq.mspx
> >> > In Microsoft's words:-
> >> >
> >> > Q. Do Remote Desktop connections work to Windows wireless clients that
> >> > use
> >> > 802.1X authentication?
> >> >
> >> > A. Not at this time. All 802.1X-based wireless connections are
> >> > affected,
> >> > including those using EAP-TLS or PEAP-MS-CHAP v2. Connections using a
> >> > static
> >> > WEP key or WPA-PSK are not affected. Microsoft has addressed this issue
> >> > in
> >> > Windows Vista and Windows Server "Longhorn."
> >> >
> >> > So is the issue valid for wired networks as well (I feel wired/wireless
> >> > should not be an issue as supplicant behavior would be the same)?
>
>
>