XP SP3 and wired dot1x

ricky-li · ‎12-05-2008

Has anyone seen any problems with single sign on dot1x and XP after service pack 3?

Specifically, here at HPU we're seeing SP3 users can't login immediately after they get to the "ctrl-alt-delete" screen and after a computer goes to sleep it doesn't reauthenticate at all.

For the authentication server, we're using the IAS radius server in 2008. Our own windows cert server and below, is our standard dot1x port config. Also this is happening across all our switches 3560 and 3550.

We're using PEAP + MSchap V2

aaa authentication dot1x default group radius

aaa authorization network default group radius

dot1x system-auth-control

dot1x guest-vlan supplicant

interface FastEthernet0/1

description UB912G_1

switchport access vlan 225

switchport mode access

switchport voice vlan 100

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

srr-queue bandwidth share 10 20 40 80

srr-queue bandwidth shape 0 0 0 0

auto qos voip cisco-phone

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode protect

dot1x timeout reauth-period 300

storm-control broadcast level 50.00 25.00

storm-control multicast level 50.00 25.00

macro description cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

drolemc · ‎12-11-2008

The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from down to up. The switch then sends an EAP-request/identity frame to the client to request its identity (typically, the switch sends an initial identity/request frame followed by one or more requests for authentication information). When the client receives the frame, it responds with an EAP-response/identity frame.

For further information click this link.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html

ricky-li · ‎12-15-2008

Thanks, I'm not really sure if you're offering me a solution or just general guidelines but here's some additional information.

1) it only seems to happens on computers using Broadcom 57XX series cards. When it happens if a computer waits for 20 minutes, it then starts to work. There's even a message in the XP event log saying the card is disabled for 1200 seconds. We've updated the card drivers to ones released in September 2008, while it seemed to help for a few days it the problems started cropping up again.

2) Thinking that the problem might be related to duplicate SIDs we've recreate the SIDs on numerous machines to no avail.

3) We've also tried to reorder the startup order of services to make sure the dot3svc (dot1x) service starts up before netlogon.

jan.nielsen · ‎11-10-2010

I have spent countless hours on this, you should know that in XP SP3, microsoft introduced a new feature to the wired supplicant (dot3svc) called Blocktime, as you already have seen, it's 20 minutes where no dot1x is initiated by MS....useless feature.

What i have found is that the reason this blocktime is started is due to the dot1x supplikant attempts dot1x before the windows subsystems are actually 100% ready, and so it fails on such a low level, that the switch just sends a dot1x "fail" packet. What you should look into is the maximum failed attempts part of the wired dot1x GPO policy or xml file if you are doing it manually. I have set it for 10 attempts in the GPO, and it has solved all our problems with SP3.

You can use netsh to export, edit and import your settings, if you arent using a GPO.

netsh lan export profile folder=c:\

and then import again with :

netsh lan add profile FILENAME = "c:\yourprofile.xmlhttp://napteam.members.winisp.net/LANProfile.xml"

I can't find my files from that right now, but believe the option in the xml is something like 10, but you should be able to find those options at MS.

Jan