12-05-2008 01:35 PM - edited 03-06-2019 02:50 AM
Has anyone seen any problems with single sign on dot1x and XP after service pack 3?
Specifically, here at HPU we're seeing SP3 users can't login immediately after they get to the "ctrl-alt-delete" screen and after a computer goes to sleep it doesn't reauthenticate at all.
For the authentication server, we're using the IAS radius server in 2008. Our own windows cert server and below, is our standard dot1x port config. Also this is happening across all our switches 3560 and 3550.
We're using PEAP + MSchap V2
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
dot1x guest-vlan supplicant
interface FastEthernet0/1
description UB912G_1
switchport access vlan 225
switchport mode access
switchport voice vlan 100
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 20 40 80
srr-queue bandwidth shape 0 0 0 0
auto qos voip cisco-phone
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout reauth-period 300
storm-control broadcast level 50.00 25.00
storm-control multicast level 50.00 25.00
macro description cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
12-11-2008 02:27 PM
The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from down to up. The switch then sends an EAP-request/identity frame to the client to request its identity (typically, the switch sends an initial identity/request frame followed by one or more requests for authentication information). When the client receives the frame, it responds with an EAP-response/identity frame.
For further information click this link.
12-15-2008 11:55 AM
Thanks, I'm not really sure if you're offering me a solution or just general guidelines but here's some additional information.
1) it only seems to happens on computers using Broadcom 57XX series cards. When it happens if a computer waits for 20 minutes, it then starts to work. There's even a message in the XP event log saying the card is disabled for 1200 seconds. We've updated the card drivers to ones released in September 2008, while it seemed to help for a few days it the problems started cropping up again.
2) Thinking that the problem might be related to duplicate SIDs we've recreate the SIDs on numerous machines to no avail.
3) We've also tried to reorder the startup order of services to make sure the dot3svc (dot1x) service starts up before netlogon.
11-10-2010 01:48 PM
I have spent countless hours on this, you should know that in XP SP3, microsoft introduced a new feature to the wired supplicant (dot3svc) called Blocktime, as you already have seen, it's 20 minutes where no dot1x is initiated by MS....useless feature.
What i have found is that the reason this blocktime is started is due to the dot1x supplikant attempts dot1x before the windows subsystems are actually 100% ready, and so it fails on such a low level, that the switch just sends a dot1x "fail" packet. What you should look into is the maximum failed attempts part of the wired dot1x GPO policy or xml file if you are doing it manually. I have set it for 10 attempts in the GPO, and it has solved all our problems with SP3.
You can use netsh to export, edit and import your settings, if you arent using a GPO.
netsh lan export profile folder=c:\
and then import again with :
netsh lan add profile FILENAME = "c:\yourprofile.xmlhttp://napteam.members.winisp.net/LANProfile.xml"
I can't find my files from that right now, but believe the option in the xml is something like
Jan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide