Wireless Laptops On A Domain

[InTheWayBoy]

Ok, so currently we have about 15 laptops on our domain. They all are either Intel 2200 or 3945 chipsets, which luckily use the same installation package. The Intel drivers have a pretty decent client configuration application, but its not without its gripes.

The application includes a feature that seems to help the laptops sign-on to the domain over the wireless. From what I can tell without this feature the wireless link isn't ready when the user logs in, resulting in the "Domain not available" error message. The feature seems to get around that by connecting to a preconfigured wireless profile as the user logs on, and waits until a domain controller is found to pass the auth info through. Works well enough in most cases.

My question is are there any other ways around that which wouldn't require me to use the Intel application. I see some things in the GPO that might be what I want, but I can't tell if I will perform as we are used to. I need these laptops to be able to sign-on 'live' over the wireless, without any cached logins.

The Intel drivers include bare .inf files so I can install the adapters for use with just the built-in XP SP2 Wireless Zero Config application. If I create the GPO's for the wireless profiles will the be active before or during the logon?

Or is there an even better way to do this? We use a mixture of roaming profiles and folder redirection, along with several mapped drives. If the process doesn't work correctly we get issues with the folder redirection not working or mapped drives not working unless you manually open them once. And of course there is the main issue of the "Domain not available" error message preventing logon.

Edited October 22, 2006 by InTheWayBoy

[cluberti]

Yes - consider using those 802.1x policies. This would authenticate the machine against an IAS server (add/remove windows components on a 2000 or 2003 DC) on the domain, and would also authenticate the user via the same method (certificates and shared secrets - or smartcards, if you can swing it). This forces the wireless link to come up and send EAPOL packets back and forth with the IAS server before allowing logon - it'll slow the boot process some on wireless laptops on a domain, but it will both ensure the network is up before domain login, and also help secure communications between the wireless client and the domain and WAP (especially if teamed with IPSEC policies).

Your WAP and/or switches also need to support 802.1x for this to work properly, but most do at this point. If they do, it's a viable, cheap, and easy solution to implement - with security benefits as well.

Edited October 23, 2006 by cluberti

[InTheWayBoy]

Sorry, been kinda hectic. I'm getting some new AP's next week (NetGear WG102) and once I get them deployed I'm gonna try this out. Thanx for the suggestions, I'll hit this back in a week or so with any updates.