Environment
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 4
802.1x authentication (wired)
4.91 SP4
802.1x authentication (wired)
4.91 SP4
Situation
When implementing 802.1x authentication in a wired environment
(problem does not occur in a wireless environment) using an RADIUS
server that authenticates against eDir, the 802.1x authentication
works properly, and the login to the eDirectory tree is successful,
but an 8801 error is thrown during the execution of the login
script.
Resolution
Fixed in updated noveap.dll and nwlscrpt.exe modules, dated 21Mar2008 or later.
The following is a workaround for this issue:
Launch the login script subsequent to the user authentication. This can be accomplished by calling a batch file which runs loginw32.exe from the startup group, or by calling loginw32.exe directly from the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Add a string value named "Novell Login" which contains the value:
C:\Windows\system32\loginw32.exe /CONT /NA /S C:\LoginScr.txt
where the last argument is the name of a Novell login script file.
The following is a workaround for this issue:
Launch the login script subsequent to the user authentication. This can be accomplished by calling a batch file which runs loginw32.exe from the startup group, or by calling loginw32.exe directly from the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Add a string value named "Novell Login" which contains the value:
C:\Windows\system32\loginw32.exe /CONT /NA /S C:\LoginScr.txt
where the last argument is the name of a Novell login script file.
Additional Information
When implementing 802.1x authentication with an 802.1x-enabled
switch, users do not have access to the network until they are
authenticated by the RADIUS server. This is because before the user
has successfully authenticated on 802.1x, they have no access to
services through the switch. It is only after the switch learns
from the RADIUS server that the users credentials have been
approved, that they have access to the wired network beyond the
port connection.
The problem seen as 8801 errors when executing login scripts is the result of the way Novell implemented 802.1x authentication in the Microsoft environment. The Novell Client needs full user access to the network in order for the login process to complete. To do this, it uses a plug-in to the Microsoft supplicant to take the supplied user credentials, authenticate the user to the RADIUS server, then uses the same credential set and, now that the 802.1x-enabled switch has activated the port, login to eDirectory. At this point, the user is completely logged in to 802.1x and to the Novell network. Then, the Novell Client passes the credentials to Windows for the local machine authentication to occur. However, Windows assumes it still needs to do a user authentication. Accordingly, it disconnects the user from the network and begins a second 802.1x authentication. This happens during the processing the login script, which then fails because the connection it is using has been removed.
The problem seen as 8801 errors when executing login scripts is the result of the way Novell implemented 802.1x authentication in the Microsoft environment. The Novell Client needs full user access to the network in order for the login process to complete. To do this, it uses a plug-in to the Microsoft supplicant to take the supplied user credentials, authenticate the user to the RADIUS server, then uses the same credential set and, now that the 802.1x-enabled switch has activated the port, login to eDirectory. At this point, the user is completely logged in to 802.1x and to the Novell network. Then, the Novell Client passes the credentials to Windows for the local machine authentication to occur. However, Windows assumes it still needs to do a user authentication. Accordingly, it disconnects the user from the network and begins a second 802.1x authentication. This happens during the processing the login script, which then fails because the connection it is using has been removed.