Release Notes for Win 2K/XP AEGIS Client

April 2005

Version 2.2.7 replaces version 2.2.3.

Problems fixed and Changes between 2.2.7 and 2.2.3

• Novell Login Username entry
  When using the Novell Single-sign-on feature, making a mistake in initially entering your user name would correctly result in a failure to authenticate. A retry with the corrected user name would lead to proper authentication of the connection. A condition in which a subsequent failure of the Novell or Windows logins would still occur has been corrected. (Ref #3238,3239)
• Novell Login with "Workstation only"
  When using the Novell Single-sign-on feature and the Novell "Workstation only" checkbox option, network authentication will now take place but without any Novell login. In the previous version, no network authentication was initiated.
  
  For example, this allows for support of both a "work" logon profile which would be used for Novell network connectivity in the work location and a "home" logon profile which, when used in conjunction with checking the "Workstation only" checkbox, would be used for local network connectivity in the home location. Note: the "home" logon profile would be free to use any of the client credential types for providing the credentials (the "work" profile is restricted to "use logon credentials").(Ref #3289)
• Novell Compatability
  When used in a Novell Network environment, to ensure interoperability the following Novell server version is required:
  
  Novell Server Version 6.0 SP5 or greater.
• Suspend/Resume
  Recovering from a system suspend/resume operation has been fixed for specific environments which had previously exhibited a failure to properly resume operation.
• Nortel Client for the VPN Concentrator
  The AEGIS client no longer binds to the Nortel client for the VPN concentrator. The result is that one no longer needs to cancel out of an extraneous authentication popup message. (Ref #3289)
• Login Delay due to multiple authenticating interfaces
  In configurations utilizing multiple authenticating interfaces there was previously no way to exit an authentication (via logon profile) process without termination of the logon attempt. In the earlier implementation, selection of the "cancel" button on the progress dialog would cancel the logon attempt, even if one of the interfaces had succeeded at authentication. The user was therefore forced to wait 2 minutes for a timeout to occur in the event one of the networks was unreachable. This has been corrected so that selection of "cancel" will allow the logon to continue over any interface which has had successful authentication. (Ref #3436)
• Login Delay due to link down on wired interfaces
  In the previous implementation, when a user attempted authentication (via logon profile) over a wired interface in the link-down state (e.g., physically disconnected), the client would wait 2 minutes for a timeout to occur before allowing a logon attempt to continue. Link state is now properly detected and allows authentication to continue without any unnecessary delay. (Ref #2421)
• Fast User Switching
  On uninstalling the client, repaired problems with any subsequent manual reactivation of the Windows Fast User Switching feature. Also changed the mode to be automatically enabled. (Ref #2813,2840)
• Log Level
  The log level configured in the System Setting dialog correctly displays the current value when the dialog is opened. (Ref #2809)
• GUI
  Under non-English Windows environment, corrected the truncated view of the Client Identity tab in the Authentication Profiles dialog. (Ref #3232)

User Interface Observations with Workarounds

• Certificate selection cancellation
  When re-configuring an authentication profile that uses one of the mutual authentication EAP methods and using the "select certificate" screen from the client identity tab, if you click on "cancel" to halt the client certificate selection without selecting one, then when you attempt to exit the authentication screen with "ok", you will receive an error message informing you that "A certificate representing the client is required". Even though the original certificate is still indicated in the "issued to" field, the process believes you intended to enter another certificate. (Ref #1470)
  
  Workaround:
  Simply go back to the "select certificate" screen and make a positive selection (to the original one), and press "OK" to continue normally.
• Machine Certificates
  The client cannot use Microsoft domain certificates to authenticate the machine to the network at boot time unless a fully qualified domain name is used in the form of "hosts/machine_name". (Ref #1923)
  
  Workaround:
  Place the fully qualified domain name in the "User name" field for the TLS authentication profile used for the boot authentication.
• Uninstall and desktop profiles
  When attempting to uninstall the client when using only boot or logon authentication profiles, you get the message "The following applications must be closed before continuing the installation". (Ref #2049)
  
  Workaround:
  In order for the uninstall to work you need to first create a dummy desktop profile in order to enable exiting the application, reboot the system, exit the client and then run the uninstaller.
• Importing Certificate Authority certificate
  It was reported that when importing a pfx package containing the certificate authority used to create the client, server certificates, and the client certificate, the operating system puts the certificate authority certificate in the current user store. The certificate authority certificate is not available from the user's "Trusted Root" pull-down list. (Ref #1843)
  
  Workaround:
  If "Any Trusted Root" is selected, and the rest of the dialog is filled out correctly, the certificate authority certificate is used properly and authentication will work normally.
• Authentication Profile Name length
  The length of the name of an authentication profile as listed in the Profile Information tab of the Network Profile screen is truncated to 15 characters. However in the Authentication Profile screen itself the corresponding name is listed with at least 30 characters as visible. (Ref #2361)
  
  Workaround:
  When naming an authentication profile, limit the uniqueness of the name to the first 15 characters and the overall length to 30 characters.

General Usage Observations with Workarounds

• Group Policy
  When using boot authentication time, the computer Group Policy is not always updated during startup. (Ref #1382)
  
  Workaround:
  One workaround is to rely on the background refresh process to eventually update the computer. By default this time is approximately 90 minutes. A second workaround is to rely on manual refreshing by using one of the following command-line utilities. On 2K, the command is secedit /refreshpolicy machine_policy /enforce. On XP, the command is gpupdate /target:Computer /force.
• Boot authentication and licensing
  If using boot authentication with a trial license, activation of a valid license after the end of the trial period via the client is not possible since the client's ability to accept input is not active under this circumstance. (Ref #1434)
  
  Workaround:
  The client must be un-installed and then re-installed and configured for desktop authentication so that the licensing processing can be accomplished.
• Windows suspend mode
  In some machine configurations, it has been observed that the client will hang after recovering from a Windows suspend mode. (Ref #1453)
  
  Workaround:
  If operation of the restart command on the client does not produce a re-authentication, the client must be terminated (exit command) and re-started, at which point it will re-authenticate successfully.

Limitations

• Multiple adapters
  Support for multiply equipped adapters is limited. Attempting to associate each adapter with a different access point or to associate them with the same access point but with different authentication profiles is not supported. (Ref #1371)
• Atheros mini pci card
  The driver for this card is known to associate to the AP with the strongest signal, regardless of client configuration. (Ref #1436)
• Delayed logon
  When the 802.1X authentication process starts at logon, the client displays a progress dialog with status messages and a cancel button. The client will delay the windows logon process until ANY of the following happens:
  1. the authentication is successfull and the adapter has a valid IP address, or
  2. the authentication failed, or
  3. the user presses the cancel button, or
  4. an internal timer, set to 2 min, expires.
  Once any of the above events happen, the client allows the windows logon process to continue and the user is logged on. The client at this point (assuming no desktop authentication is required) continues to run in the background and IP connectivity
  - is available (case 1),
  - may or may not be available (case 2, 3, or 4), depending on what the client did meanwhile in the background.
  An example scenarios of Case 4 (delayed logon) is:
  Wireless authentication with more than one network profile in the “configured network list” and the higher priority, but presently not applicable (out of range), profile uses logon authentication. When starting the PC and desiring to connect to the lower priority, in-range network in the list, the client will first encounter the above delay while initially attempting to first connect (at logon) to the higher priority network before moving on to the next (and currently applicable) network. (Ref #2426)
• Licensing the client
  With an IE browser that only supports 56 bit encryption the AEGIS Client fails to license. The request sent by the browser is sent with 56 bit encryption but the response from the Licensing Server is sent in 128 bit encryption. IE does not know how to unencrypt this message and passes wrong informaion to the AEGIS Client. The message that the Client gives is "Unable to get product list from licensing server". (Ref #3280)

Tested Wireless Network Adapter Cards

Tested Wired Network Adapter Cards

Tested Smart Card Readers