Reset Search



KB44439 - Machines and users are placed in same vlan during machine-then-user 802.1x authentication owing to incorrect TLS resumption

« Go Back


Last Modified Date4/23/2020 11:56 AM
As per PPS configuration,  different VLANs are configured for the machine role & user role using radius return attribute policies. Pulse desktop client is configured to perform machine-then-user authentication using certificates.  However upon logging on to client PC using Pulse Desktop Client, the users are not placed on the user VLAN instead they are placed in  machine VLAN  , though user authentication is successful. 
Problem or Goal
Upon performing successful user authentication and assigned appropriate user role , the VLAN configured for the corresponding user role is not being assigned, instead the VLAN meant for the machine role is being assigned . 
This problem is triggered owing to a bug in  Microsoft Windows 10 OS . During the user logon phase , Microsoft's EAP-Host sub-system triggers an incorrect 802.1x connection request with User authentication even before the actual windows user logon when the earlier machine authentication session  is still active with an IP address. This forces pulse desktop client to initiate an  incorrect TLS resumption for 802.1x machine authentication instead of triggering a fresh  802.1x user connection, as the earlier 802.1x  machine connection is still active. Owing to incorrect TLS resumption of 802.1x machine authentication , the machine VLAN gets assigned to user upon user logon. 

The actual root cause of what make  Microsoft's EAP-Host sub-system to incorrectly trigger a 802.1x user auth request before actual user logon needs to investigated by Microsoft team. This section would be updated once the RCA is received from Microsoft. 
A fix has been developed in Pulse Desktop client to  ignore any  incorrect 802.1x user authentication request before the user logon happens thereby avoiding the incorrect TLS resumption of 802.1x machine authentication during user logon. Pulse Desktop Client version 9.1R5 & above version contains this fix. 
Related Links
Attachment 1 
Created ByBenjamin Cladius



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255