none
Explicit EAP failure received

    Question

  • Solution of NPS works on all ten desktops. All able to succesfully authenticate using dot1.x and get into proper VLAN. However a new desktop batch of three machine, newly installed two days back are unable to go through dot1.x authentication.

    Instead it ends at explicit EAP failure with red question mark on network adapter. Client is Windows 7 ultimate.

    Any ideas what can be the difference factor between these windows 7 machines, causing few to pass and these new ones to fail.

    Services of NAPAgent and dot3svc are also started, same NAP settings through GP on all machines.

    Also executed sc config dot3svc depends = napagent.

    Switch is 3COM model 4210 working perfectly with all other windows 7 desktops.

    Any idea ?


    Shahid Roofi
    Thursday, January 26, 2012 9:07 PM

All replies

  • Hi Shahid,

    Thank you for your post.

    Please provide more events details about your issue, like:
    ...
    Reason: XXXX
    Reason Text: Explicit Eap failure received
    Error Code: XXXX

    Any ideas what can be the difference factor between these windows 7 machines
    These machines failed to connect the Wireless or Wired network? Clients has never connected the 802.1x network successful or disconnected when user logon? 
     
    If there are more inquiries on this issue, please feel free to let us know.

    Regards,
    Rick Tan
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Rick Tan

    TechNet Community Support

    Friday, January 27, 2012 9:43 AM
  • first i updated NIC drivers from 2010 version to dec-2011 version on adapter: Intel 82579LM  - (Wired) i am using wired 802.1x using 3COM

    but no benefits.

    then i changed properties on adapter network,

    Log Link State Event (set to disabled) previosly enabled

    Priority and VLAN (set to disabled) previously enabled

    wait for link (set to ON) preivous set to auto detect.

    this helped.

    and helped alot. No more authenticaiton problem.

    But everytime system boots, there is authentication failure. i have disabled and enable the adapter once to get through.

    this is not ideal.

    (i already have applied on sc config dot3svc depend= napagent on all computers)

    ??


    Shahid Roofi

    Logs says,

    Wired 802.1X authentication failure.

    ...

    Reason: 0x50005

    Reason Text: An internal error occurred

    Error code; 0x8007054f

    ----------------------------------------

    once disabled and reenabled this problem disappears.

     

    I am not satisfied with this as proper solution.

     

    Friday, January 27, 2012 10:18 AM
  • We are having the exact same issue, however out of 100 authentications 90 can authenticate without an issue where 10 percent need an interface reset.

    The strange thing is that we are experiencing this mostly with HP systems, our Lenovo Systems authenticate properly.
    Both use the same lan interface type, model and driver.

    Friday, January 27, 2012 12:03 PM
  • very right, we have this issue on HP Minitower PCs with Intel Adapter 82579LM. We've tried to attach a laptop with same OS on this network port and works perfect.
    Shahid Roofi
    Friday, January 27, 2012 12:16 PM
  • how opten is the reset required. In our case, on initial finding once after restart is must. i am try to include this into startup script for these system. But there sould be a proper solution to this.
    Shahid Roofi
    Friday, January 27, 2012 1:13 PM
  • In our situation we only need to unplug and plugin the ethernet cable into the NIC. 90% of the time it's not needed 10% of the time it is.

     

    Friday, January 27, 2012 2:08 PM
  • The thing, there can be a simple fix from MS on this. replug of ethernet cable is not a good solution and practice. Also disable-enable on network adapter is also not an acceptable soluton especially in big environment.

    MS should really try to make this solution more stable.


    Shahid Roofi
    Friday, January 27, 2012 6:54 PM
  • Hi Shahid,

    Try steps below to resolve your issue:
    1. Install the KB976373 when your client computer does not directly connect (like through VOIP telephone) to 802.1x enabled switch. 
    2. Disable all the INTEL NIC utilities and keep the Wired Autoconfig service running.
    3. Do your clients use user or computer authentication 802.1X authentication mode? Try to reboot your client into safe mode with network (or clean boot) to test if issue exists

    Regards,
    Rick Tan
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Rick Tan

    TechNet Community Support

    Monday, January 30, 2012 6:32 AM
  • In our situation the issue occurs with PC's directly connected to the Cisco 3750 switches and also to those connected via a Cisco 7945 IPPhone. All PC's were patched with KB976373 but this made no difference.

    All PC's only have the same Intel Ethernet drivers and don't have any Intel or other third party NIC utilities installed.
    All PC's are based on a standard SCCM deployment and all have the same setup, packages and  deployed.

    The Wired Autoconfig service settings are deployed via GPO and it is configured to start automatically.
    The GPO applying the NAP and Wired Autoconfig settings if enforced.

    As stated before the issue occurs mostly on HP PC's about 1 in 10 attempts. The Lenovo PC's which we have hardly ever have the issue and they use the same ethernet adapter and drivers. 

    Whenever a pc has authenticated succesfully it's extremely difficult to trigger a failure again. I can reboot it 100 times and it then just works flawlessly. Whenever a failure occurs I can run all checks from the NAP troubleshooting guide and it passes all those checks. All settings are applied and services are started, whenever I trigger an interface reset the authentication just works.

    To rule out that the anti-virus or firewall are causing the NAP failure we have removed those checks. 

     

     

    Monday, January 30, 2012 10:06 AM
  •  

    We'll be trying that soon. Also we have another article that seems relevent:

    http://support.microsoft.com/kb/980295

    We've planned to try both now. With the high hopes that one of them would address it.

    Your article seems very relevant on teh symptions aspect because reset of adapter solves the problem in our case also, but machine is not connected through any phone, rather it is directly connected.


    Shahid Roofi
    Monday, January 30, 2012 7:27 PM
  • Shahid,

    Thanks for the link to KB980295 we didn't found that one before.
    I just deployed it to the test batch of pc's, if now issues arrise we will deploy it to the other troublesome pc's.

    Will update this thread once we have more info.
    Regs,
    John

    Thursday, February 02, 2012 8:49 AM
  • Hi Shahld,

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

    Regards,
    Rick Tan
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.


    Rick Tan

    TechNet Community Support

    Tuesday, February 07, 2012 5:59 AM
  •  we are still trying things but without hopeful gain yet.

     strange fact is another desktop or laptop attached to same port authenticates perfectly without a glitch.

     This particular desktop also authenticates but is out of network. and sometimes explicity shows a red question mark of authentication fails.

     All KB articles we've found to date, have been applied on the said machines.

     Problem is only on 3 HP Elite Minitower workstation. (all rest 500 machines does not have this problem !)

     If you want i can manage to provide remode desktop through secondary EVO connection.

     Our next line of action is to reimage these three machines with fresh OS once again.

     Only thing that affects is the fact that changing settings on network apadter advanced properties affects the behavirour but does not help permanently.


    Shahid Roofi


    Tuesday, February 07, 2012 8:14 AM
  • Hi Shahid,

    It is possible that the authentication failure is a result of the slow initialization of the NIC during reboot.

    Would you please make sure that the Portfast is enabled on the switch interfaces that are straightly connected with the Windows machines?

    On the other hand, would you please try enabling the Group Policy “Always wait for the network at computer startup and logon” under the path: “Computer Configuration\Administrative Templates\System\Logon\”

    Best Regards,

    Steven Xiao


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, February 09, 2012 4:28 AM
  •  Dear Steven, That sure is nice suggestion. However our problem does not only pertain to startup.

     Even during the normal operation, at any reauth cycle, dot1x authentication fails. logs are received in which only partial dot1x communication happended. Seems like something is timing out at the desktop level. Sometimes, even after log declares the successful authenitcation at NPS end, still the desktop in a abnormal state of network connectivity i-e despite being in one of the VLAN it won't connect anywhere.

     PortFast is something which is already enabled.


    Shahid Roofi

    Thursday, February 09, 2012 7:27 AM
  • Just to give you an update from our end, we deployed hotfix KB980295 to all systems on monday.
    Thus far we haven't had any notifications of users that their PC failed to authenticate, the switch logs are also looking great.

    For you info we deployed all NAP settings via a GPO and the Group Policy “Always wait for the network at computer startup and logon” under the path: “Computer Configuration\Administrative Templates\System\Logon\” is on in order to resolve other issues.

    Lets hope that we've tackled the issue.

    Thursday, February 09, 2012 8:29 AM
  • Hi Shahid,

    Is there anything abnormal on the authentication tab of the NIC GUI when the issue occurs?

    Double-click the "Local Area Connection" > Properties > Authentication tab

    Best regards,

    Steven Xiao


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, February 14, 2012 12:09 PM
  • In addition, I am not sure if SP1 is installed on the problematic win7 machines. Since the hotfix KB980295 which is included in the SP1 seems to fix ITmab's 802.1x issue, it is worth trying.

    Regards,

    Steven


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, February 14, 2012 12:14 PM
  • Did you get this issue resolved? We're having this same issue on the same NIC hardware, with all the 802.1x hotfixes applied.

    What we've been able to determine is we don't see a "link up" message from the driver during the failures, but it's only intermittent. We updated to the latest driver with no resolution.

    Thursday, January 03, 2013 7:53 PM