Slow logon windows xp with 802.1x enable

Unanswered Question
Nov 25th, 2007

Hi all,

We deployed NAC solution (802.1x) with CS ACS 4.1 and Cisco Trust Agent 2.1 with bundled supplicant.

we got problem (slow respons) while try to login on windows xp (it takes around 4 minute). however the authentication has succesfull and we got the posture message from ACS.

Please help..

Attached log from CTA



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Atkin Mon, 11/26/2007 - 09:31

Initial suggestion is to do a port-sniff and see what's causing the hold-up. Not particularly experienced with NAC, but certainly 802.1x on Windows can be a bit hit or miss, most of the time it's fine, but sometimes clients just wait an age before sending credentials off.

Sniff the port and see what's taking so long...



bongkiekong Tue, 11/27/2007 - 05:35

Hi Richard,

Thanks for your respons.

the slow logon issue has been solved with deployed customize CTA package with reduce retry authentication settings from 4 (default value) to smaller value.

I have new problem with validation to external posture server using LanDesk 8.7.

Followed all documentation from Cisco and Landesk did not solved this issue.

attached log from Radius Server.

please advice



Richard Atkin Tue, 11/27/2007 - 06:19

I'd have a stab and say your LandeskPVS Policy is what's causing RADIUS to say no, but it's down to you to take a look at the rule-set and see what's what.

Failing that, create some obscenely simple policies, and get them working first. Once something very simple works, start to build on it bit-by-bit, continuously testing & fixing as required.

Sorry I can't help more...


mugurelgherghe Tue, 11/27/2007 - 07:20


I solve this. You must create group on AD and add to this group both the user and machine.

It works for me. It should take less than 20 sec.


bongkiekong Tue, 11/27/2007 - 19:47

Hi Mugur,

We did not use AD as user authentication, but using Cisco ACS internal database. The users working environtment is workgroup.

any suggestion ?



bongkiekong Tue, 11/27/2007 - 19:54


All rules from internal policy (ACS internal posture) always worked for me, but if I pointing to the external posture server, Radius reject the request or failed in authentication. I'm still looking if my ACS or there is wrong configuration at my LanDesk Server. Btw thanks for the advice.




This Discussion