Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Windows Group Policy fails to work.

Greetings,

I have a wireless network (802.11g). I have Windows group policies applied, but only the wired clients get the GPO?s, the wireless clients do not.

The SSID security is using Open w/EAP, the radio encryption is TKIP, and the server based security is Radius w/EAP.

The Radius service is a Windows 2003 Server Standard Edition SP1 using IAS 5.2.379.1830. The Radius server has a cert installed that is required to be on the clients as well.

The Wireless Client is using an AIR-CB21AG-A-K9, the driver was installed with ADU 3.0.0.296, the driver version is 3.0.0.104

The AP is an AIR-AP1231G-A-K9 running IOS version 12.3(4)JA. I have also tested this on IOS 12.3(8)JEA with the same results.

The setup works like this, but the GPO failing is a problem. Is there another way to do this? I am open to suggestions on how to secure the client?s association access to the AP and network and also provide for GPO?s to work. The abridged Config follows:

version 12.3

.

.

.

aaa new-model

!

aaa group server radius rad_eap

server xxx auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

server xxx auth-port 1645 acct-port 1646

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

dot11 ssid CiscoWLAN

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid CiscoWLAN

!

short-slot-time

speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

channel 2462

station-role root

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address yyy 255.255.255.0

no ip route-cache

!

ip radius source-interface BVI1

!

radius-server attribute 32 include-in-access-req format %h

radius-server host xxx auth-port 1645 acct-port 1646 key 7

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

end

2 REPLIES
Bronze

Re: Windows Group Policy fails to work.

First try removing the ICMP filters .This would fix the issue.Secondly Since Microsoft Group Policies are only available since the advent of Active Directory (Windows 2000 and newer), the GPO trigger update feature is only available on Windows XP/2000 machines.

Re: Windows Group Policy fails to work.

Do you have machine authentication configured? If you don't user GP execution will be random at best and machine GPs will not be applied.

191
Views
0
Helpful
2
Replies
CreatePlease login to create content