cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
60735
Views
77
Helpful
18
Comments
Vivek Santuka
Cisco Employee
Cisco Employee

Very often 802.1x deployments run into Windows 7 machines that will exhibit erratic authentication problems such as:

  • Not able to authenticate when coming back from sleep or hibernation
  • Using the wrong protocol on boot up
  • Not able to authenticate after a single authentication failure

Such problems often boil down to one or more of the following problems :

Problem SummaryKB
Win 7 connected behind IP Phones will not authenticate after waking up from sleep or hibernationKB 976373
Win 7 stops responding to 802.1x after first authentication failsKB 980295

Win 7 selects a protocol different from what the GPO states.

(GPO is configured for EAP-TLS but PEAP is used because local config had PEAP selected)

KB 2481614
Win 7 does not prompt for 802.1x credentials to some users on a shared PCKB 2491809
Win 7 does not prompt for 802.1x credentialsKB 2835595
Win 7 cannot authenticate if a valid and an invalid certificate is presentKB 2494172
Win 7 selects wrong certificate for a machine migrated across two forestsKB 2769121
Win 7 Authentication fails intermittentlyKB 2736878

 

So if you have a 802.1x implementation or are considering it in a Windows 7 environment, these hotfixes should be pushed out to the endpoints to avoid problems with authentication. Some of these are not part of a Service pack so, they need to be downloaded and pushed out specifically.

On a side note, some laptops manufactured in 2013/2014, especially from HP, require a device driver upgrade to authenticate correctly.

18 Comments
jvdbiest01
Level 1
Level 1

Hello,

Since sometime, we have windows 7 PC authenticating with dot1x that lose network connectivity after being in sleep mode (switchport authentication status: Unauthorized). The problem is caused by the combination of the activity of the network card when the PC is in sleep, and the authentication process.

When the PC is in sleepmode, the network card continue to have some activity, and reply to ARP request (from the switch). Our authentication server is configured to drop / blacklist devices after serval attempts of unsuccessful authentications (see “Anormalous Client” on ISE). For this reason, the PC cannot authenticate on the authentication server anymore and cannot have access to the network.

You see in the capture here under a MAB tentative each 15 minutes which match the 15 minutes “Request Rejection Interval” on which the switch tries to see if the device now respond or if it will stay an “anomalous client” for another 15 minutes.

I can get connectivity again when I disconnect the cable from the network card, restart the PC, clear authentication, reconnect the network cable; then the PC is back on the network until the next sleep. Another way is to set the PC in a MAB list, but this is not manageable for more of 3000 devices.


(remark: some confidential details of the picture has been removed)

Another way to avoid this issue, is to disabling the power management of the network card.

Pc go in sleep mode, wakes up, and has directly back access to the network.

The problem with this workaround, is that the Wake—on-Lan feature is also disabled. As our customer use this feature, this solution was not applicable.

Then I found a solution :-)

The new Intel drivers have more power management options, and it’s possible to disable the response to ARP request.

This configuration allow to keep the power management and the Wake-on-lan feature active, and the authentication succeed after a power sleep:

 

 

The drivers is the Intel® Network Adapter Driver for Windows 7 - Version: 22.0.1 (Latest) Date: 2/13/2017

The drivers can be found on the following link:

https://downloadcenter.intel.com/downloads/eula/18713/Intel-Network-Adapter-Driver-for-Windows-7-?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F18713%2Feng%2FPROWinx64.exe

A restart of the PC is required.

The PC does not answer ARP request anymore, and dot1x authentication succeed when the PC is waken up.

The one failed authentication before each success is just the MAB that happens before user has time to authenticate.

(remark: some confidential details of the picture has been removed)

 

I hope this solution can help some people. I’m seeing some posts on forums with this issue, but I’ve never found my solution.

Some KB were deployed on these W7 Pc’s as per the following post (this post) : https://supportforums.cisco.com/blog/12256681/getting-past-intermittentunexplained-8021x-problems-windows-7, but this did not solve the issue.

This tips concern PC with Intel NIC drivers, and i hope that others vendors have a similar options in the drivers.

Please, let me known if this solution resolve your issue. For me, all my sleeping PC can now get network connectivity and are successful authenticated after being waken up.

Best regards,

Joël Vanderbiest

aayala
Level 1
Level 1

Do you have a similar article for Windows 10? Thanks

ErnestoJuarez
Level 1
Level 1

From my perspective, I believe that KB976373 is a dirty solution due to the fact that the ignoring period in EAP identity packets of 20 minutes could be changed. This means that the client begins 802.1X authentication more often (depending upon the duration of timer).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: