none
802.1x, XP Sp3 and Broadcom = windows logon delay

    Question

  • I know there are several posts regarding a 1200 second delay but as far as I can tell there's no real work around. However I want to share our current setup to see if anyone has something similar, and/or to see if anyone has found a registry key or other switch option to work around this problem?

    Our current problem seems to resolve around the Broadcom 57XX drivers not sending a credentials when it first boots up then disabling itself for 20 minutes. I've attempted to contact Broadcom but was told that to work thru a vendor, and Dell simply states its a broadcom issue. Cisco mentions there is an MS hotfix but is unable to locate it and the only has assured me they will post a bug notice about it. 

    All the machines having issues are Windows XP with SP3 installed and are on a Active Directory domain. The switches are all at least a Cisco 3550 series or 3560 series switches. We're using MS IAS for the radius authentication of the 802.1x clients and this only happens on our wired clients.

    Our client side configuration is under the Authentication tab:

    MS Peap
    Do not validate server certificate
    MSCHAP v2
    Automatically use windows logon name

    We've tried the following things to no avail thus far:
    1. install latest 57XX driver from broadcom
    2. unjoin the computer from the AD/domain, regenerate it's SID then rejoin; thinking its a duplicate SID issue.
    3. reordered the startup order for dot3svc to make sure it starts before the netlogon service.

    Here is the entry from the event viewer of an afflicted XP machine:

    Event Type: Information
    Event Source: Dot3Svc
    Event Category: None
    Event ID: 15506
    Date:  12/8/2008
    Time:  9:19:32 AM
    User:  N/A
    Computer: UB900_HELPDESK
    Description:
    Network authentication attempts have been temporarily suspended on this network adapter.
     
     Network Adapter: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
     Interface GUID: 9219d220-ec6f-4380-8cdd-ea711fa843bf
     Reason Code: 327685
     Length of block timer (seconds): 1200


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Here is our standard Cisco switch config:
    aaa authentication dot1x default group radius 
    aaa authorization network default group radius 

    dot1x system-auth-control 
    dot1x guest-vlan supplicant 


    interface FastEthernet0/1 
    description UB912G_1 
    switchport access vlan 225 
    switchport mode access 
    switchport voice vlan 100 
    switchport port-security aging time 2 
    switchport port-security violation restrict 
    switchport port-security aging type inactivity 
    srr-queue bandwidth share 10 20 40 80 
    srr-queue bandwidth shape 0 0 0 0 
    auto qos voip cisco-phone 
    dot1x pae authenticator 
    dot1x port-control auto 
    dot1x violation-mode protect 
    dot1x timeout reauth-period 300 
    storm-control broadcast level 50.00 25.00 
    storm-control multicast level 50.00 25.00 
    macro description cisco-phone 
    spanning-tree portfast 
    spanning-tree bpduguard enable 

    Ricky Li
    Network Engineer 
    Hawaii Pacific University

    Monday, December 15, 2008 8:04 PM

Answers

  • how did you do this?
      reordered the startup order for dot3svc to make sure it starts before the netlogon service.

    Have you tried the wait until networking administrative template to see if it will delay the login until it's ready?

    Derek
    Thursday, January 08, 2009 12:08 AM

All replies

  • Hi,

    I found a KB article that describes a hotfix. Please let me know if this helps.

    http://support.microsoft.com/kb/957931

    -Greg
    Friday, December 19, 2008 5:36 AM
    Owner
  • are you using roaming profiles for users on xp sp3?
    Monday, December 22, 2008 7:21 AM
  • No roaming profiles, just straight up domain logins.
    Monday, December 22, 2008 7:21 PM
  • Thanks we'll give it a try, I hope it works for XP as well as Vista since the majority of our desktop deployments are XP.
    Monday, December 22, 2008 7:24 PM
  • It didn't work and apparently you need to get a Vista only hotfix to make the registry change work. Which sucks because our standard deployment are XP machines. Back to square one.
    Tuesday, December 23, 2008 9:02 PM
  • you tryed http://support.microsoft.com/kb/957931
    for xp pmachines and it didn't worked ?
    Wednesday, December 24, 2008 8:47 AM
  • No it didn't work on XP, and even for Vista it requires a hotfix.
    Saturday, January 03, 2009 1:25 AM
  • how did you do this?
      reordered the startup order for dot3svc to make sure it starts before the netlogon service.

    Have you tried the wait until networking administrative template to see if it will delay the login until it's ready?

    Derek
    Thursday, January 08, 2009 12:08 AM
  • how did you do this?
      reordered the startup order for dot3svc to make sure it starts before the netlogon service.

    Have you tried the wait until networking administrative template to see if it will delay the login until it's ready?

    Derek

    Hi there,

    How can I reorder the startup order of dot3svc and netlogon service? Could you please explain me a bit more?

    Thanks a lot,
    Nitass
    Wednesday, June 10, 2009 11:49 AM
  • Hi Nitass
    Use a GPO or local policy.
    Computer Configuration -> Administrative Templates -> System ->Logon
    From the right hand pane double click “Always wait for the network at computer startup and logon”
    That is a better way to do this.
    You can also change the dependancies of services, but as the top metod done with a GPO that should probably be the way to go.
    Please be aware that this WILL slow boot up time.
    • Proposed as answer by nitass Thursday, August 06, 2009 11:09 AM
    Friday, June 12, 2009 9:11 PM
  • Hi all,

    I got EXACTLY the same issue.

    I'm installing a new network with Cisco's device (instead of HP). At this moment, with HP devices, it works fine :
    I enter my login and password then I have the Pop up to authenticate on the network (IAS) with MD5.

    But if I try on Cisco's devices (3560), I don't have any pop up which appear when I log on.
    If I wait for 5 minutes (till it says that authentication failed), I have the blocking time for dot3svc service to restart and I have to wait 1200 seconds before having a new try for authentication.

    So I applied the patch found via this post (http://support.microsoft.com/kb/957931) and after the authentication failure (5 minutes), I can have a new try from my laptop to authenticate. And so the pop up of authentication appears immediatly (I set the blocking time to 0 minute).

    But now, I'd like not to wait 5 minutes until the authentication fails.

    How can I do ?

    Thanks for all
    Friday, February 26, 2010 2:38 PM
  • Hi again,

    I would tell you that I tried to change the local policy :
    local policy :
    Computer Configuration -> Administrative Templates -> System ->Logon
    From the right hand pane double click “Always wait for the network at computer startup and logon”

    So I've done it but it's worst : it is very slow (as you told me) and I don't manage to reach the guest VLAN now !


    Friday, February 26, 2010 4:31 PM