• January 18, 2021, 02:38:27 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: [802.1x] random problems  (Read 3034 times)

0 Members and 1 Guest are viewing this topic.

Offline Alessan

  • Rookie
  • **
  • Posts: 13
[802.1x] random problems
« on: May 02, 2016, 01:31:43 PM »

  Recently we have had to rollback 802.1x security, everything seemed to work but after 2 weeks, randomly one or two random computers are unable to authentificate each day.
  Syslog shows:
EAP Bad pkt id: 3, last request id: 5
  The request dont reach NPS server (network policies with VLAN assignment)
  Event viewer show:
failure by a problem with account...

  Disable and re-enable port makes computer authenticate sucessfully (unplug and plug cable works too).

  OS Clients: Windows 7 with Computer only authentication PEAP.
  Server: W2008 R2 with NPS role (with VLAN assignement)
  Switch: ERS5510 FW:  SW:v6.3.6.017

  Same problem with FW:  SW:v6.3.5.025

  I found this link: https://supportforums.cisco.com/blog/12256681/getting-past-intermittentunexplained-8021x-problems-windows-7

  We really need apply some of this patches or must work with current windows update patches?
  Any advice?


Offline Michael McNamara

  • Administrator
  • Hero Member
  • *****
  • Posts: 3843
    • michaelfmcnamara
    • Michael McNamara
Re: [802.1x] random problems
« Reply #1 on: May 26, 2016, 09:26:26 AM »
You'll find that a lot of the manufacturers are struggling with issues in their 802.1X feature set because customers are actually starting to use those features and running into issues, Avaya, Cisco and yes Microsoft.
We've been helping network engineers, system administrators and technology professionals since June 2009.
If you've found this site useful or helpful, please help me spread the word. Link to us in your blog or homepage - Thanks!

Offline Jeroen

  • Full Member
  • ***
  • Posts: 56
Re: [802.1x] random problems
« Reply #2 on: August 18, 2016, 03:35:17 PM »
Hi Alessan, no tsure if you still run into this issue.
I have been using 802.1x for over 10 years now on several switches,clients and authentication and methods.(The include ERS8300, ERS4850, Win Vista, W7, W8, W8.1 and currenlty W10, PEAP-MSCHAPv2, PEAP-with certificate, EAP-TLS, both computer and user authentication).
I've seen a lot of issues with 802.1x but never the one that you described. My experience is issues are  mostly client related. It might be due to a timing issue between supplicant and authenticator or some bug. I have seen Microsoft security updates break and solve 802.1x functionality.

As you mentioned the reuest never hits the NPS, I assume the error event you noticed ws in the event viewer of the client, correct?
I would start by applying the patches to a client that is facing the issue. In the meantime you can setup a packet capture to see what happens on the network, or on the client itself (netmon).

Although my guess would be an issue on the client, you can try the following tests if possilbe:

- using a wireless connection to see if the issue here is also present.
- if it did work in the past, what was changed and try to do a roll-back.
- besides updating W7 patches, try W8.8.1/10 to see if the issue is present.
- use EAP-TLS (certificate) if you can to see if the issue is also present using this authentication method.
- setup a second NPS server to see if the issue persists (if you already have 2 or more try disabling one to rule-out any issue with one NPS).
- have a case opened at the vendor

Offline Alessan

  • Rookie
  • **
  • Posts: 13
Re: [802.1x] random problems
« Reply #3 on: September 18, 2016, 06:35:07 AM »

Thanks Jeroen, problem seems be solved installing KB2736878 https://support.microsoft.com/en-us/kb/2736878

I have another issue,

  Computers are assigned dynamically to his assigned vlan based on Active Directory group, but with wireshark i can see they are receiving broadcast messages from the default interface VLan.

For example, if a port is configured on vlan 1 and computer is assigned to vlan 2 by EAPOL, this computer receive NetBios, ARP and other broadcast packets from vlan 1.

Configuring ports with no vlan solves but then I can't wake up (WoL) computers remotely.

Any sugestion at this point? configure a dump/empty vlan on ports?

Thank again,