Re: Windows native supplicant stucks after receiving EAP-Failure Messa

rezaalikhani · ‎10-02-2024

Hi all;

As far as I kowm, to make the switch send an “EAP-Success” message instead of “EAP-Failure” message to the corresponding client when the 802.1X client user is assigned to the 802.1X critical VLAN (in response to reachability outage of ISE nodes), we must use “dot1x critical eapol” command. This approach must be followed because Some 802.1X clients, such as Windows built-in supplicant, cannot respond to the EAP-Request, Identity packets from the NAD if they have received an EAP-Failure packet. As a result, reauthentication fails for these clients when an authentication server is reachable. This operation ensures that all supplicants can perform reauthentication.

Based of my testing, the above event also occurs when the NAD receives RADIUS Access-Reject (due to configuring "Deny-Access" as Authorization Policy result) but this time, the "dot1x critical eapol" command on the NAD does not do anything (for 10 minutes) regarding this event and so, the endpoint does not answer to reauthentication requests from NAD (as illustrated in the above figure) in a timely fashion.

Any ideas?

Thanks

Arne Bier · ‎10-02-2024

10 minutes (600 seconds) seems to be the default hold-down timer in Microsoft Windows supplicants after an EAP Failure has been received. I call it the "sulking" wait time 🙂 The time value can be adjusted in the registry. You should see evidence of this in the Windows Event Viewer under

Applications and Services Logs > Microsoft > Windows > Wired-AutoConfig > Operational

rezaalikhani · ‎10-03-2024

Thanks @Arne Bier for your great reply (as usual);

After some searches and testing several options and scenarios, I found that, the registry option to configure has a GUI equivalent option which can be configured in Group Policy:

Thanks

Windows native supplicant stucks after receiving EAP-Failure Message