Reset Search
 

 

Article

KB12476 - Windows login fails when correct credentials are entered after a failed 802.1X authentication

« Go Back

Information

 
Last Modified Date8/14/2015 4:01 PM
Synopsis

Failed Windows logon after retrying with correct credentials

Problem or Goal

A user is attempting to login to Windows with the Odyssey Access Client configured to use its GINA module to perform 802.1X authentication.

Scenario

  1. The user attempts to sign-in and enters a bad set of credentials at the Windows GINA dialog.
  2. The Odyssey Access Client will show the user that they failed to authenticate and redirects them back to the GINA dialog. 
  3. The user then enters the correct credentials. 
  4. The 802.1X authentication does not succeed, but the user appears to succeed at the Windows logon after about 20 seconds.
  5. The user may see a Windows error message stating that the domain controller is not available. 
  6. The user clicks OK and is then passed on to the desktop, but has limited or no network access. 
Cause
Solution

There may be several causes for this, but this document will focus on one specific cause.  This type of behavior can be caused by a feature on some switches known as “Quiet Period”.  Quiet Period is a feature that some switch manufacturers include as a security feature.  When this feature is turned on and assigned a time value, it will prevent the switch from listening to or replying to EAP traffic for the specified time if a user has failed 802.1X authentication.  The port goes into a “quiet period” and ignores all traffic until the timer expires.

If the timer exceeds Odyssey’s EAPOL-Start timers (which is by default 6 seconds), OAC will move to an “Open on Timeout” state.  This state is used when OAC has not received a response to its EAPOL-Start messages (1 EAPOL-Start every 2 seconds - sent 3 times).  If the switch port is configured for a guest VLAN, the PC will be placed on that VLAN and should receive an IP address.  If that IP address does not have access to the Domain Controller, you would potentially receive an error message stating that the DC is not available.

There are some things that can be done to eliminate this from happening.

  1. Lower the Quiet Period to fall within the OAC EAPOL-Start timeout range.
  2. Increase OAC’s EAPOL-Start timer to conform to the switch’s quiet period setting
  3. Eliminate the switch’s quiet period setting altogether

If you wish to increase the time interval for how long OAC waits between each EAPOL-Start message, you will need to edit the following registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Funk Software, Inc.\odyssey\client\configuration\options\wired8021x\startPeriod

Set the value of this key to the number of seconds OAC should wait between EAPOL-Start messages.  The default value is 2 seconds.

If you wish to increase or decrease the number of EAPOL-Start messages that OAC sends to a switch, you will need to edit the following registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Funk Software, Inc.\odyssey\client\configuration\options\wired8021x\maxStart

Set the value of this key to the maximum number of EAPOL-Start messages sent.  If OAC does not receive a response to any of the EAPOL-Start messages once the maximum number is reached, OAC will assume there is not 802.1X enabled switch available.  At this point, OAC will move to the “Open on Timeout” state and will open the port.

NOTE: If you are using a wireless adapter instead of a wired adapter, simply change the ‘wired8021x’ portion of the registry key to ‘wireless8021x’. 

NOTE: You should carefully consider the impact that adjusting the timers could have on the time it could potentially take for a user to authenticate.  It is possible that you can use values that could extend the time it takes to login from seconds to 10s of seconds.  You should test these values before deploying them to a wide audience of users.

 

warning: Use caution whenever editing the Registry as serious problems can occur if modified incorrectly. It is advised to backup your Registry before making ANY changes. Consult your IT organization for assistance with Registry issues

Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255