I'm having a hard time getting wireless authentication (WPA2 Enterprise) working reliably with Windows 7, and it appears to be down to the way Microsoft assumes that computer and user authentication should work together. In short: 1) When a laptop boots up, it tries to do computer authentication to wireless, using the computer's AD credentials, with no involvement by the user. 2) When the user logs in, the laptop authenticates the user against wireless, this time using the user's AD credentials. 3) When the user logs out, the laptop again does computer authentication to wireless. 4) When the user suspends the laptop, and comes into the office the next day, the laptop will only do user authentication against AD Looking at my authentication logs, it appears that our Windows 7 PEAP sessions are re-authenticated every 30 minutes (which is what the access point "session-timeout" has been set to): if the user is logged in, user re-authentication takes place. If the user is logged out, computer re-authentication takes place. The following explains the behaviour: http://support.microsoft.com/kb/929847 machineOrUser Use computer-only credentials or user-only credentials. When a user is logged on, the user's credentials are used for authentication. When no user is logged on, computer-only credentials are used for authentication There are a few flaws in this, if the network requires machine authentication: 1) Expecting that a user should have to reboot his computer to get access to the network is unacceptable to most users/organisations. 2) Expecting that a user should not be able to bring a suspended laptop in and get wireless access when it wakes up is also unacceptable to most users. 3) If the machine never does computer authentication when the user is logged in, recovering from the timeout of a computer authentication session will require at least the user logging out, which also is unacceptable to most users. 4) The problem can be alleviated (not resolved!) by caching the computer authentication artificially long, but from a security point of view that probably also will be unacceptable to most security-minded organizations. So, the question is basically: if we set the wireless profile to require "user or computer" authentication, how can we ensure that Windows 7 does computer authentication at the right times: 1) When a computer boots up 2) Before a user logs in 3) When a user logs out 4) Periodically, to ensure an authenticated "session" exists even though the user might not log out for days. Any throughts or hints would be welcome! Thanks in advance!

Hi, Here is the explanation of several authentication modes. 1. User re-authentication. (Recommended) An 802.1X always uses security credentials based on the current state of the computer. Authentication is performed by using the computer credentials when no users are logged on to the computer. When a user logs on to the computer, authentication is always performed by using the user credentials. 2. Computer only. Authentication is always performed by using only the computer credentials. 3. User authentication. Specifies that when users are not logged on to the computer, authentication is performed by using the computer credentials. After a user logs on to the computer, authentication is still based on the computer credentials. If the user has a portable computer and travels to a new location on the wired network, then authentication is performed based on the user credentials. 4. Guest authentication. Allows connection to the network that are regulated by the restrictions and permissions that are set for the guest account. Niki Han TechNet Community Support

Thanks Niki for the explanation but after having tested this over a couple of weeks I'm convinced the Windows 7 wireless supplicant is broken in that computer re-authentication never seems to happen when a user is logged in to the computer. Sure, this works great in a lab scenario, and authentication works fine for both computer and user authentication when you test it, the problem is that after a prolonged period of time, the users will start losing network connectivity, if you configure your authentication service to want both computer authentication (to ensure only systems in AD can connect) and user authentication (to ensure only valid domain users can login). The problem is, as described above, when a user is logged in, a computer will *never* re-attempt computer authentication: you have to either log out or reboot before computer re-authentication takes place. This forces the network/system/security administrators into either caching a valid computer login for much longer than one should have to, because as soon as the cached computer authentication times out, the users will lose network access. Only, as mentioned. logging out/in or restarting the computer will force a computer re-authentication, which then can allow a user authentication to take place. As mentioned in my original post, expecting that users should have to re-start their systems or login sessions to re-main network access is *not* acceptable in this day and age, when laptops are stable enough to stay up for weeks, and be suspended/resumed when a user leaves/comes into the office. I would hope that someone at Microsoft files a bug against this.

computer re-authentication never seems to happen when a user is logged in to the computer. The problem is, as described above, when a user is logged in, a computer will *never* re-attempt computer authentication: you have to either log out or reboot before computer re-authentication takes place. Are you sure you're not confusing computer and user authentication? My understanding is that computer authentication will never happen while a user is logged on, only before a user logs on or after a user logs off. User authentication takes place after a user logs on, but this authentication isn't dependent on computer authentication, so a wake-from-sleep scenario (with user logged on) involves normal user authentication.

computer re-authentication never seems to happen when a user is logged in to the computer. The problem is, as described above, when a user is logged in, a computer will *never* re-attempt computer authentication: you have to either log out or reboot before computer re-authentication takes place. Are you sure you're not confusing computer and user authentication? My understanding is that computer authentication will never happen while a user is logged on, only before a user logs on or after a user logs off. User authentication takes place after a user logs on, but this authentication isn't dependent on computer authentication, so a wake-from-sleep scenario (with user logged on) involves normal user authentication. You're right - and that is indeed where the problem is lying - if a user is logged into a system, computer authentication will NEVER take place. So, for a mobile user population who just shuts the lid on their laptops, the Windows 7 supplicant's implementation of computer and user authentication is going to cause lots of headaches for companies who want exactly that - computer and user authentication! After a while, a few hours, a couple of days, however long the network admins are willing to cache a computer authenticated session, users are going to lose their access to the network. The logical thing from a user's point of view - to reboot - will of course fix the problem. Until, of course, the next machine authenticated session timeout....!

Hi All, I have the same configuration and I have big problems with bonded authentication(hostname and username). On my controller I have two rules for user authentication: hostname and username through a radius server(windows server 2008). For me even after restart or log off, the client cannot connect to the network using computer and then user authentication. All time the client sends user instead of computer name and the authorization failed, because the controller is expecting to receive the hostname and not the username first. Sometimes the client can connect and in the authentication logs I can see that the client sends hostname and then the username. "ohuk" --- Where did you find that Windows 7 PEAP sessions are re-authenticated every 30 minute. Can we change this value? This is a know issue for Windows, or it's working as designed?