802.1x guest user with a 802.1x configuration (another domain) RRS feed

  • Question

  • Hello all,

    I have an issue with some guest user who have a 802.1x configuration with their own companies. What happen is that the user who have 802.1x enabled try to authenticate with our NPS but the domain doesn't exist on our side. And there's a retry every minute or so right now. Is there a way we can denied other 802.1x with another domain? Make it ''normal'' guest user? Or it is on the side of the guest user?


    Wednesday, February 11, 2015 5:49 PM

All replies

  • Hi,

    According to your description, my understanding is that you want to disable the 802.1x authentication on clients for another domain.

    In general, the 802.1x authentication related settings of clients are configured by group policies,  centrally managed by DC of that domain. Back to that domain and remove this client from the 802.1x policy related groups, then refresh the group policies. This is a better way to disable it.

    Otherwise, we need to delete related registry keys on local machine, it is not recommended and may affect the normal mechanism.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, February 13, 2015 5:18 AM
  • If the client has permission to edit 802.1X settings you can disable "automatically use my Windows logon name and password ..and domain" in EAP MSCHAPv2 properties. See the image below.


    P.S. Some switches also have a setting to assign a VLAN to clients with failed authentication attempts. You can configure this to be the guest VLAN.
    Monday, February 16, 2015 1:24 AM
  • Hello and thanks for your response,

    Yes, i want to disable the 802.1x on guest clients who are on another domain. But unfortunately, i do not have access to that DC on that domain. So i can't remove specific clients on the 802.1x policy who try to authenticate on our NPS. 

    I was thinking about a way to disable these authentication on our side. Like to forget authentication about another domains except our domain. Like to "block" other authentications on other domains.

    It's not a huge issue since users are able to get to our guest VLAN configured on the switch because the authentication failed (like Greg said). The only issue is that authentication retry every minute with the domain and every users on that domain (logs get bigger and bigger).

    I'm sure is a typical scenario since every companies or so have 802.1x and consultants goes in and out these days.

    Thanks in advance

    Friday, February 20, 2015 4:33 PM