There may be several causes for this, but this document will focus on one specific cause. This type of behavior can be caused by a feature on some switches known as “Quiet Period”. Quiet Period is a feature that some switch manufacturers include as a security feature. When this feature is turned on and assigned a time value, it will prevent the switch from listening to or replying to EAP traffic for the specified time if a user has failed 802.1X authentication. The port goes into a “quiet period” and ignores all traffic until the timer expires.
If the timer exceeds Odyssey’s EAPOL-Start timers (which is by default 6 seconds), OAC will move to an “Open on Timeout” state. This state is used when OAC has not received a response to its EAPOL-Start messages (1 EAPOL-Start every 2 seconds - sent 3 times). If the switch port is configured for a guest VLAN, the PC will be placed on that VLAN and should receive an IP address. If that IP address does not have access to the Domain Controller, you would potentially receive an error message stating that the DC is not available.
There are some things that can be done to eliminate this from happening.
- Lower the Quiet Period to fall within the OAC EAPOL-Start timeout range.
- Increase OAC’s EAPOL-Start timer to conform to the switch’s quiet period setting
- Eliminate the switch’s quiet period setting altogether
If you wish to increase the time interval for how long OAC waits between each EAPOL-Start message, you will need to edit the following registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Funk Software, Inc.\odyssey\client\configuration\options\wired8021x\startPeriod
Set the value of this key to the number of seconds OAC should wait between EAPOL-Start messages. The default value is 2 seconds.
If you wish to increase or decrease the number of EAPOL-Start messages that OAC sends to a switch, you will need to edit the following registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Funk Software, Inc.\odyssey\client\configuration\options\wired8021x\maxStart
Set the value of this key to the maximum number of EAPOL-Start messages sent. If OAC does not receive a response to any of the EAPOL-Start messages once the maximum number is reached, OAC will assume there is not 802.1X enabled switch available. At this point, OAC will move to the “Open on Timeout” state and will open the port.
NOTE: If you are using a wireless adapter instead of a wired adapter, simply change the ‘wired8021x’ portion of the registry key to ‘wireless8021x’.
NOTE: You should carefully consider the impact that adjusting the timers could have on the time it could potentially take for a user to authenticate. It is possible that you can use values that could extend the time it takes to login from seconds to 10s of seconds. You should test these values before deploying them to a wide audience of users.
Use caution whenever editing the Registry as serious problems can occur if modified incorrectly. It is advised to backup your Registry before making ANY changes. Consult your IT organization for assistance with Registry issues