Yet another PEAP+WinXP SP2 Reauthentication Issue

Unanswered Question
Aug 18th, 2008

Hi All,

Currently we run this environment:

1xCisco Wireless LAN Controller V4.2.61.0

1xCisco ACS V3.2.3.11

2xAIR-AP1231G-A-K9 (used for testing; I'm waiting to move to 5xCisco APs when I sort this issue out)

Windows 2003 R2 Domain - the DC has the Cisco ACS client installed

Client machines are Windows XP SP2 on Intel ProWireless NICs (Including Patches: WindowsXP-KB917021-v3-x86-ENU.exe; WindowsXP-KB893357-v2-x86-ENU.exe; WindowsXP-KB885453-x86-enu.exe)


We're securing the WiFi using: MAC Filtering[WPA][Auth(802.1X + CCKM)] - so PEAP on the WinXP clients w/MSCHAPv2 where ACS which does the Radius authentication for us.

Our current Wireless network uses autonomous APs, so I'm moving to LWAPP APs to improve roaming etc etc. We experience the same problems on the autonomous APs as well.

All clients authenticate the first time perfectly, no problems with that and obvisouly I can see the authentication take place on ACS and WLC. However, after a certain amount of time the clients will remain connected to the network but will sit “Attempting to Authenticate” and this never clears until I disable/enable the NIC - note the clients stay connected even though they site Attempting to Authenticate.

I understand this is a problem with WindowsXP SP2 and using a non-Microsoft Radius - but I've applied all the KBs mentioned on various forums and I still get the same problem. Am I doomed to have these issues unresolved?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
micahcox Mon, 08/18/2008 - 23:54

See if your ACS is configured to only accept 1 logon per user (or group) and try raising that number. Check the ACS logs to see whether it shows a reason why (or if it shows a rejection at all).

peter_farmer Tue, 08/19/2008 - 14:55

Thanks micahcox,

Funnily enough when the clients are at the “Attempting to Authenticate” stage - ACS reports (numerous times) a successful logon for that user.

I added the MAX SESSIONS options under Interface Configuration->Advanced Options->Max Sessions and made sure it was set to UNLIMITED for the access group.

I think this is what you are referring to?

I've set that so now I play the waiting game ….


peter_farmer Sun, 08/24/2008 - 16:03

Update: I tried a Vista SP1 machine - rock solid - no reauthentication issues at all. So I'm stuck ...

peter_farmer Tue, 09/02/2008 - 17:13

I haven't been able to get around the reauthentication issues - but when I installed the Intel Pro Wireless client V12.04 my reauthentication problems went away on the WindowsXP SP2 machine and I've had laptops running for days without issues.

So, I'll try to do a fresh install of Windows XP + SP3 then try without the Intel client.

peter_farmer Tue, 09/30/2008 - 19:56

Thanks Craig,

Yup, I originally found the KB885453 hotfix - it made little difference except it keeps the client connected while it tries to reauthenticate (but never does until the REPAIR command is completed on the NIC.)

I had a look at CSCef50870 and found a couple of references but I already found that its a known MS issue.

I have since raised a case with Microsoft and they're looking at some logs so I'm hoping they can solve it.

I appreciate the comments though.


This Discussion