I have a problem that I believe I have troubleshot correctly, but cannot find an easy answer to the problem. Our network uses PEAP-MS-ChapV2 to authenticate users.
Here is what I believe is happening...
1. User is not allowed onto network until their credentials are checked with the radius server.
2. User enters Windows username and password to logon to the laptop.
3. Users information is forwarded to the radius server and allowed onto the network.
The problem being since the user is not on the network until AFTER the credentials are checked, I believe that the user is actually logging onto the machine with cached credentials. This means that the Win 2k3 server logon script doesn't run when the user logs onto the domain.
I have a couple of questions....
1. Are my assumptions correct about why the scripts are not running?
2. Is there a solution out there that does not require manually putting login scripts on the users machines?
Funny, it takes googling at 5 in the morning for everything to finally click. I knew that machine authentication may solve the issue, but didn't know if it could be done with MSCHAPv2. Apperantly Cisco has a tech paper that spells out exactly how to implement it.
But lets say for some reason that the security policy of the company wants to enfore user authentication rather than machine authentication. Is there still a way around the server logon script issue?
BTW it may really be an uphill battle to get the security dept to go along with machine rather than user auth.