Cisco Wireless LAN Controller v220.127.116.11
Microsoft IAS w/ PEAP
Dynamic VLAN switching
Computer boots up, authenticates with wireless network using computer credentials. Based on RADIUS policy, computer is assigned to VLAN 10. Computer grabs IP and wait at Cntrl+Alt+Del screen. User logs in, computer authenticates using user credentials. Based on RADIUS policy, computer is assigned to VLAN 20. Group Policy and Login Scripts process.
The problem is that sometimes the GPOs and scripts don't run properly.
I started a continuous ping to the computer IP before user authentication and to the computer IP after user authentication. I can see that the computer boots up in VLAN 10 with 10.10.10.10 IP address. The IP in VLAN 20, 10.10.20.20, isn't responding to pings yet.
After the user authenticates, the computer loses it's IP momentarily, then regains back its original IP address (in VLAN 10, not VLAN 20). RADIUS, by this time, has reported that the user has authenticated successfully, which assigns the computer it's new VLAN at that time, but the computer doesn't get it quite yet. The computer then loses it's VLAN 10 IP address again, and then regains it's VLAN 20 IP address. It appears that the computer/user authenticates with RADIUS in this order: Computer (prelogin), User (after typing user/pass and pressing "Enter"), Computer, User... I don't understand why it's passing the Computer credentials to RADIUS after it's already logging in as a user, but that appears to be messing up the login sequence.
The problem is that this weird release/renewal of the IP is preventing login scripts and GPOs from running sometimes. I thought all of these quirky Dynamic VLAN Switching issues were to have been resolved in Windows 7.
I've tried updating NIC drivers to no avail. My temporary work around is to set the wireless policy to only use user authentication. This means that before the user logs in, the PC has no IP address at all. After they type their login/password and hit enter, the computer authenticates with RADIUS, gets assigned a VLAN and gets an IP address in VLAN 20. This assignment of the IP address in VLAN 20 takes place much faster than when the computer is first assigned to a different VLAN, VLAN 10.
I'd like the computer to have an IP address before login so startup scripts can run and so we can remotely support and manage the devices if they aren't being used, but are still online. Any ideas? I'd like to determine if the problem lies with the WLC or not.
I believe so.
TAC suggested I diable Aironet IE extensions and client exclusion. I also set the SSID to broadcast.
On WinXP machines we still don't implement the Dynamic VLAN Switching. We still use PEAP however, and the only hurdle we came across was the machine password expiring every 30 days. As a workaround we set the machine password to expire every 999 days. This made all the difference.