We are testing NAC solutions with our Aruba 802.11a/g wireless APs, using Windows 802.1X supplicants. When the user logs on, the Windows roaming profile download fails when the connection is re-established during transition from Machine authentication to User authentication. Do you know of any workaround for this problem?
A Windows roaming profile contains environmental information (like desktop items) associated with an individual who uses multiple computers. Whenever that user logs onto a Windows PC, his or her roaming profile is automatically copied from the domain controller to the local computer to provide a consistent environment.
Microsoft's website describes a roaming profile problem that might be what you're experiencing. Specifically, Windows XP users who authenticate with 802.1X and EAP-TLS or PEAP may intermittently fail to download their roaming profiles. According to knowledge base article 938117:
"This problem occurs because EAP-TLS and PEAP-TLS use a client certificate to validate the network connection. The roaming profiles that contain the certificate are stored on a domain controller. When you try to download the roaming profiles after you restart the computer, Windows XP also tries to re-authenticate the user. User re-authentication times out before you can download the roaming profiles."
Microsoft recommends two workarounds for this problem. Either stick to machine (computer) authentication only, or reduce the size of the roaming profile so that the download completes faster. You can configure either EAP-TLS or PEAP to "authenticate as the computer when computer information is available" by using the Authentication tab on the Wireless Connection's Properties panel.
This was first published in January 2008