I am having similar problems. I'm using WPA/WPA2 and PEAP with Machine Auth before login. I'm playing around with different options and "Group Policy Delay" times. If anyone is using WPA+PEAP and is having GPOs apply successfully upon boot, I would appreciate some guidance.
Okay. I've found a solution to the Group Policy problems I was having, but it's a little lengthy. I found some of the answers by searching though netpro security posts since half of the battle lies in a correct ACS configuration (or whatever flavor of RADIUS you're using).
To start off, I didn't have an external database mapping for my Domain Computers. I'm using PEAP & WPA2 and "Computer Authentication" was enabled for PEAP in the ACS server, but it still didn't work correctly until I mapped the "Domain Computers" account to an ACS group with access to the SSIDs in question. Moving along...
All my devices were using the Cisco CB21AG cards. The thing I really got stuck on was using the Cisco suupplicant vs. Windows XP zero-config. In my experience, Group Policy DOES NOT WORK with the Cisco supplicant. I uninstalled it and just installed the card driver, set everything back up correctly and enabled computer authentication. Use group policy or local policy to enable the "Always wait for the network at computer startup and logon" (Computer Config->Admin Templates->Logon). This fixed the majority of the problems, but there is still one major step. This is somewhat dependent on PC/network card, but if the card is not initialized within 10 (?) seconds of Windows XP booting, computer group policy will not come down, which include software installation settings. Edit or create the following registry key of type DWORD:
Set it somewhere between 30 to 60, decimal. This is he timeout in seconds that windows will wait for the network to come up before pulling down computer group policy. You may also find this key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, but Windows will always use the above key if it exists.
Whew! I hope someone finds this useful because it took me a LONG time to put all the pieces together.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...