A Windows XP-based wired client computer will not obtain a valid IP address from a guest VLAN or from an "Authentication failed-VLAN"

Article translations Article translations
Article ID: 931856 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • A Microsoft Windows XP-based wired client computer uses the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication configuration.
  • IEEE 802.1X authentication is enabled on the client computer.
  • The client computer does not have a valid certificate for 802.1X authentication.
In this scenario, the client computer will not obtain a valid IP address from a guest Virtual Local Area Network (VLAN) or from an "Authentication failed-VLAN". ("Authentication failed-VLAN" is a Cisco feature.)

CAUSE

This problem occurs because the client computer that uses 802.1X authentication will not respond to the EAP request identity packets that the Ethernet switch sends. The client computer does not respond because it does not have a valid certificate. Therefore, the client computer sends an EAP over LAN (EAPOL) start frame and does not respond to the EAP request identity packet.

RESOLUTION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To resolve this problem, follow these steps:
  1. Create the SupplicantMode registry entry and set its value to 1. Then, the Windows XP client computer does not send an EAPOL start frame. To do this, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type SupplicantMode, and then press ENTER.
    5. On the Edit menu, click Modify.
    6. Type 1 in the Value data box, and then click OK.
    7. Exit Registry Editor.
  2. Use PEAP-MSCHAPv2 as the 802.1X authentication mechanism. In this scenario, the client computer will always respond to EAP request identity frames if you do not change the default configuration.
  3. Use the default settings in which the SupplicantMode registry entry is not present, and change the Ethernet switch settings to a value of 1 for the following settings:
    • Minimum EAPOL time-out value
    • EAP retry amount
  4. Change the Ethernet switch VLAN setup. Use one default VLAN, and then use one or more VLANs for 802.1X authenticated computers and users.

MORE INFORMATION

The following table describes the SupplicantMode registry entry for values from 0 through 3.
Collapse this tableExpand this table
ValueDescription
0Disable IEEE 802.1X authentication operation.
1Prevent transmission of EAPOL start and EAPOL log off packets under all scenarios.
2Include learning to determine when to initiate the transmission of EAPOL packets. A Windows XP Service Pack 2 (SP2)-based computer will only send an EAPOL start frame if the computer receives an EAP request identity frame and if no internal process is currently ongoing.
3Compliant with IEEE 802.1X authentication specification.
The SupplicantMode registry entry is also explained in the "Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows" article. To download this article, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?familyid=05951071-6b20-4cef-9939-47c397ffd3dd&displaylang=en
Note The SupplicantMode registry entry is no longer valid for Wired 802.1X in Windows XP SP3. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
949984 Changes to the 802.1X-based wired network connection settings in Windows XP Service Pack 3

Properties

Article ID: 931856 - Last Review: September 24, 2009 - Revision: 2.0
APPLIES TO
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
Keywords: 
kbexpertiseadvanced kbtshoot KB931856

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com