Document ID: 108539
This document provides a sample configuration for Windows GPO at PC startup and user logon to domain. Windows GPO can be configured to run various scripts at PC startup and user logon to domain. The scripts are often used by enterprise to configure environment variables, to map remote drives etc.
Cisco NAC controls access to the network when the user first connects and tries to logon to the Windows machine.
The scripts can be classified as startup/shutdown and logon/logoff scripts.
Windows runs startup and shutdown scripts in machine context. This only functions if the NAC appliance opens the appropriate network resources required by the script for the particular role when these scripts are executed at PC bootup or shutdown, which typically is the unauthenticated role.
Logon and logoff scripts are executed in user context, which means that the logon script executes after the user has logged in through windows GINA. The logon script can fail to execute and/or complete execution if the user authentication or machine posture assessment does not complete and network access is not granted in time. These scripts can also be interrupted by IP address refresh initiated by NAC agent after an OOB logon event.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
These are general recommendations for GPO scripts:
Run the scripts in visible mode when you debug. This allows visual indication that the logon scripts are actually executed.
This GPO policy can be configured under Domain Policy > User Configuration > Administrative Templates > System > Scripts.
Ensure that the computer waits for the network to be available at the computer startup and logon.
This GPO policy can be configured under Domain Policy > Computer Configuration > Administrative Templates > System > Logon.
These are general recommendations for the NAC setup if used along with GPO:
Allow the required traffic to flow across CAS in an unauthenticated role to allow the Windows domain logon and copy of logon scripts from the AD to the client machine over the network for execution.
Ports are TCP : 88,123,135,137,139,389,445,1025,1026,3268 Ports are UDP : 88,123,135,137,139,389,445,1025,1026,3268 Allow Fragmented packets and ICMP to all domain controllers.
Note: Windows uses the PING discovery process to find the nearest DC where there is more than one DC for a given domain. In case the ICMP is not allowed two DCs, the client can take longer to login since it picks up a random DC if the initial discovery fails.
Because this is a Windows AD environment, use ADSSO as the authentication method, if possible. This automates and speeds up the user logon process, as well as enhances the overall user experience.
Several scenarios and suggested NAC configurations follow.
The Windows logon scripts are executed from the AD controller and are run asynchronously.
Asynchronous script execution is the default behavior for Win2003 AD. When the Windows logon script is run asynchronously, it transfers control back to the Windows logon process after it invokes the script. It does not wait for the script to finish execution. This allows other start-up programs and the NAC agent to load normally.
If the logon scripts require network access, which are controlled by the NAC appliance and are accessible after successful user logon to NAC, the logon script can experience some delay. Check the logon script to learn the network availability before the actual logon script executes, for example:
:CHECK @echo off echo Please wait.... ping -n 1 -l 1 10.10.10.10 if errorlevel 1 goto CHECK @echo on # Now the actual Logon script: net use L: \\fileserver\share
Note: Modify the script in accordance with the network topology.
Because this workaround is simple, it works fine as long as the logon scripts are run asynchronously, and there is no IP address change involved as a result of Out Of Band NAC deployment or otherwise.
If the scripts are run synchronously, this workaround fails because the NAC agent does not load into memory before the logon script finishes execution, and the logon script never completes execution because it waits for network resource availability, which becomes available only after the NAC agent authenticates the client PC.
This screen shot shows that the client PC remains in this state of infinite loop because of the reason mentioned.
This scenario can also fail in a situation where the scripts are run asynchronously over a slow WAN link where the scripts themselves can take a while to download, and the NAC is deployed in OOB topology where IP refresh can be configured. An IP refresh in midst of script execution can potentially break the script execution. In such as scenario, Cisco strongly recommends that you run scripts synchronously so that the IP refresh process does not interfere with the script execution. This scenario depicts such a situation.
The Windows logon scripts run from the AD controller synchronously.
Synchronous scripts are recommended in NAC OOB deployment where IP refresh takes place.
The basic idea is to split the functionality of the original logon script into two scripts.
Script one, which is executed as a logon script, just copies the second script to the local machine for execution at a later time when the NAC agent has authenticated, and network access is granted.
The second script can be called by the Windows startup program automatically if you place the second script into the startup folder of the user, for example:
The logon script executed from the AD copied the actual script called “mount.bat” to the startup folder of the user for later execution.
echo Please wait.... sleep 20 copy \\220.127.116.11\SHARE\mount.bat "c:\Documents and Settings\All users\Start Menu\Programs\Startup\mount.bat"
Note: Modify the script to suit the network topology.
Note: Allow the required traffic to flow across CAS in an unauthenticated role to allow the Windows domain logon and copy of logon scripts from the AD to the client machine over the network for execution.
The secondary script, where the actual action occurs is executed locally from the system and deleted after execution for security reasons.
ipconfig :CHECK @echo off echo Please wait.... sleep 10 Ping -n 1 -l 1 10.10.10.10 if errorlevel 1 goto CHECK @echo on # Now the actual Logon script: net use L: \\fileserver\share del c:\Documents and Settings\All users\Start Menu\Programs\Startup\mount.bat"
This screen shot depicts that the second script that runs in the background is launched from the startup folder of the user, and the NAC agent does an IP refresh after it authenticates. The second script loops and waits for the agent to complete the authentication and IP refresh process before it completes and maps the drives.
Troubleshooting has to be done on case by case basis, however capturing packets off the switchport on which the client PC is connected is a great way to start. This will give you insight about the network events and activities.
|Updated: Feb 09, 2009||Document ID: 108539|