Roaming Profile may not work properly with 802.1x network

Applies to: Windows 7 EnterpriseWindows 7 ProfessionalWindows Server 2008 Enterprise


Consider the following scenario:

-You use a client computer to connect to a dynamic Virtual Local Area Network (VLAN) switch.
-The client computer connects to the dynamic VLAN switch by using IEEE 802.1X computer authentication and 802.1X user authentication.
-You use large roaming profiles on the client computer.
-Dynamic VLAN switching is performed according to 802.1X user authentication.

In this scenario, you experience problems when you try to obtain Group Policy objects (GPOs), roaming profiles, and logon scripts from the domain controller.

This main reason is the behavior of Dynamic VLAN Switching 802.1x authentication.

Why dynamic VLAN switching with 802.1X authentication is not supported in this scenrio?

The 802.1X authentication process and the Winlogon process are two distinct processes that are not interrelated. Both these processes occur regardless of the state of the other. In dynamic VLANs, the client computer is given a valid IP address when the computer starts. When the user logs on to the computer, the 802.1X authentication process and the Winlogon process occur at the same time. First, the network connection is reauthenticated by using the user credentials. If the authentication is successful, the dynamic VLAN switch or the access point moves the client computer to a new VLAN. However, exactly at the same time, the Winlogon process is validating a domain controller. Additionally, the Winlogon process tries to obtain GPOs, logon scripts, and roaming profiles from the domain controller. When VLANs are switched, the Winlogon process is interrupted, and the process does not restart.

Why we do not recommend that you use roaming profiles together with 802.1X authentication?

If you use a computer certificate or a user certificate that resides in the roaming profile, and if the roaming profile becomes too large, you may experience problems when you try to authenticate the user. You cannot authenticate the user because you do not have the certificate yet. You have to download the roaming profile to gain access to the certificate. If the roaming profile is small, you can download it quickly. However, if the roaming profile exceeds a size of 10 megabytes (MB), you experience problems.

More Information

Note We highly recommend that you do not use roaming profiles together with 802.1X authentication.