locked
dot1x authentication by cisco 2960 wired Sw problem RRS feed

  • Question

  • i have a network that dot1x enable on wired . my server is 2012 NPS and my client 7. and all configuration published by GP.

    some client when windows login , faild dot1x authentication and  goto guest vlan and need diable/enable NIC to goback currect VLAN. 

    why need to enable/disable NIC to work correctly ?

    thanks 

    Wednesday, April 15, 2015 9:34 AM

Answers

  • Hi,

    There are a couple ways to configure a service dependency. You can use the Windows Registry, but the simplest method is using service control (sc). However, it is important to know the current dependencies so that you don't overwrite those. If the client is a server then it can currently depend on both the server and the workstation services.

    Before you start, check the current dependencies of netlogon using your services console (services.msc):

    In the example above, netlogon is only dependent on Workstation (LanmanWorkstation). To use service control (sc.exe) to add a dependency for 802.1X (dot3svc), open an administrator command prompt on the client computer and type the following:

    sc config netlogon depend= LanmanWorkstation/dot3svc

    Note that there is no space between the equal sign and the word "depend" and the slash must be a forward slash. An example is below:

    C:\>sc config netlogon depend= LanmanWorkstation/dot3svc
    [SC] ChangeServiceConfig SUCCESS

    The reason that "LanmanWorkstation" is included here is because that is the current dependency. If you don't include it then it will be overwritten and netlogon will only depend on dot3svc.

    LanmanWorkstation = the Workstation service

    dot3svc = the Wired Autoconfig service (aka 802.1X)

    Verify that the dependency was added by looking at the services console (services.msc) again:

    To accomplish the same thing in the Windows Registry:

    1. On the client computer, click Start, click Run, type regedit, and press ENTER.
    2. In Registry Editor, open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon.
    3. Double-click DependOnService, under Value data at the bottom, type dot3svc, and then click OK.
    4. Close the Registry Editor and restart the computer.

    You do not need to do both of these procedures. Pick one.

    Thanks

    -Greg

    Monday, April 20, 2015 5:31 PM

All replies

  • Hi,

    According to your description, my understanding is that 802.1x wired authentication has been configured with GP, but client failed to be authenticated, and re-enable NIC will works for re-authentication. 

    If there is only specific client has this problem, I will recommend you to check and update the NIC driver to the latest version. Besides, try to restart the client with clean boot, try to reconnect to the 802.1x network and confirm the result.

    If the problem still exits, open Event Viewer on client, and check to see if related event has been logged. Besides, provide the error message when failed to connect to the network if any.

    On the NPS side, enable accounting(reference: https://technet.microsoft.com/en-us/library/dd197475(v=ws.10).aspx ), check the log file, and post the record here.

    Best Regards,
    Eve Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, April 16, 2015 6:47 AM
  • Usually this problem is because dot1x (aka 802.1x) is not running when the computer attempts to log on.

    You can consider changing netlogon service to depend on dot1x. This ensures that dot1x is fully started before netlogon is attempted.

    Saturday, April 18, 2015 2:37 AM
  • One reason authentication can fail is that the network switchport is going into spanning-tree blocking mode for a very long time.

    On a Cisco switch, you should configure these access switchports with "portfast" (or "portfast trunk" if they are trunk ports). On HP Procurve it is "admin-edge-port".

    Monday, April 20, 2015 6:18 AM
  • how i can netlogon service to depend on dot1x?
    Monday, April 20, 2015 12:16 PM
  • Hi,

    There are a couple ways to configure a service dependency. You can use the Windows Registry, but the simplest method is using service control (sc). However, it is important to know the current dependencies so that you don't overwrite those. If the client is a server then it can currently depend on both the server and the workstation services.

    Before you start, check the current dependencies of netlogon using your services console (services.msc):

    In the example above, netlogon is only dependent on Workstation (LanmanWorkstation). To use service control (sc.exe) to add a dependency for 802.1X (dot3svc), open an administrator command prompt on the client computer and type the following:

    sc config netlogon depend= LanmanWorkstation/dot3svc

    Note that there is no space between the equal sign and the word "depend" and the slash must be a forward slash. An example is below:

    C:\>sc config netlogon depend= LanmanWorkstation/dot3svc
    [SC] ChangeServiceConfig SUCCESS

    The reason that "LanmanWorkstation" is included here is because that is the current dependency. If you don't include it then it will be overwritten and netlogon will only depend on dot3svc.

    LanmanWorkstation = the Workstation service

    dot3svc = the Wired Autoconfig service (aka 802.1X)

    Verify that the dependency was added by looking at the services console (services.msc) again:

    To accomplish the same thing in the Windows Registry:

    1. On the client computer, click Start, click Run, type regedit, and press ENTER.
    2. In Registry Editor, open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon.
    3. Double-click DependOnService, under Value data at the bottom, type dot3svc, and then click OK.
    4. Close the Registry Editor and restart the computer.

    You do not need to do both of these procedures. Pick one.

    Thanks

    -Greg

    Monday, April 20, 2015 5:31 PM
  • thanks a lot my dear

    Tuesday, April 21, 2015 3:36 AM