For Problem 2, another option would be to use a span port on the network switch to mirror traffic to the WireShark box.

Bruce Osborne
Liberty University

-----Original Message-----
From: Herron, Chris [mailto:[log in to unmask]] 
Sent: Thursday, April 09, 2009 9:53 AM
Subject: Re: Desperate for help with Clean Access and Active Directory

Hey Daniel,

Problem 1
Roaming profiles: To my knowledge there is no work around for this yet other
than to open a wide security hole into the server hosting the profiles. Not
really an option.

Problem 2
GPO: There is an option in the CAM to force GPO synchronization after
authentication. You'll want to have that turned on. Next you'll need to
figure out what ports you need to have open to the DC in the Unauthenticated
and Temporary roles. The best way I found to do this was using a network
hub...Yes that's right a hub. Get WireShark installed on a laptop plug it
and the machine to be tested into the hub and connect the uplink port to
your network connection/switch. Fire up WireShark and immediately login into
the target machine. Create a filter that only shows traffic to and from the
IP address of the target machine. It's pretty easy to see the requests that
are timing out. Take note of the ports and open them up one by one. In
reality I stumbled thru doing this for the first time in about 3 hours.

Hope this helps some,
Chris
[log in to unmask]
Cogentrix Energy, LLC.