Hello, I'm not a Novell person but I have a customer that I'm working with
who is a Novell shop and I have some three questions regarding the
flexibility of the Novell Client on Windows XP.

I've got a small wireless pilot going in and we are using EAP-TLS for the
authentication mechanism. I am currently using machine certificates to
authenticate the machines transparently, however, one of the XP limitations
is if a machine is forced to used machine certificate authentication and
then while the user is logged in, they roam to a different AP or loose
connection, XP tries to then use a user certificate to re-authenticate the
connection. As mentioned earlier, I am only using machine certificates as
issuing user certificates is not really an option given the number of
different users that log into a specific machine.

So my first question, is there a flexible way to control what local windows
user account the Novell client uses when logging into the workstation? Ie.
Could I maintain the functionality of users using their own individual
netware/edir accounts for the Novell login portion, and be forced to use a
specific windows account for the local machine authentication? With this
solution I could issue a user certificate for only that local user account
and we would be in good shape.

Now a second question I would have in regards to this would be if we are
forcing a specific user account, will the user still have to enter the
password of the local account or can this be pre-configured so they only
have to enter their Novell credentials?

Last my third question would be in regards to profiles. I believe the
customer was using the Workstation manager application to dynamically create
user accounts on the fly in windows. With the above questions and the
desired solution, is there a way to push a profile to the local machine
based on the Novell user account even though we would be using a single
windows account?

Any help would be GREATLY appreciated and if there are some Novell support
links out there that will help me with my configurations that would be great

If this solution is not possible, are there any other methods that could be
used to in this situation (Login scripts, profiles, etc.) to get a
certificate installed for the local user so that in the event of wireless
roaming, Windows does have a user certicate available, all be it, most
likley the same certificate as the machine cert.