Dude where's my PFE?

I am a Premier Field Engineer (PFE) for Microsoft.

20 minute delay deploying Windows 7 on 802.1x? Fix it here!

20 minute delay deploying Windows 7 on 802.1x? Fix it here!

  • Comments 5
  • Likes

Someone mentioned to me that he has a 20 minute delay deploying Windows 7 to 801.1x EAP networks.  They noted http://support.microsoft.com/kb/978152 which is “A Windows Vista-based or Windows Server 2008-based computer does not respond to 802.1X authentication requests for 20 minutes after a failed authentication”.

 

But didn’t see a fix similar for Windows 7.  So, what do they do?  They ask PFE of course!  I got together with Yong Rhee and Carl Luberti and we kicked the tires a few and found that to fix this you need to likely do two things:

1)  Apply http://support.microsoft.com/?id=976373 which is “A computer that is connected to an IEEE 802.1x-authenticated network via another 802.1x enabled device does not connect to the correct network” and then add the registry key to modify the timeout value:

For wired networks
To use the new registry setting in a wired network, follow these steps:

1. Open Registry Editor. To do this, click Start

Collapse this imageExpand this image

clip_image001

, type regedit in the Start Search box, and then press ENTER.

2. Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc

3. Point to New, and then click DWORD Value.

4. Type BlockTime, and then press ENTER.

5. Right-click BlockTime, and then click Modify.

6. Click Decimal under Base.

7. In the Value data box, type an appropriate value for the blocking period, and then click OK. The value that you specify for this registry entry represents the number of minutes that the system waits before it retries a failed authentication. The default value is 20 and the valid range is 1 - 60. If you set this key to 0, it will not apply at all.

8. Exit Registry Editor.

For wireless networks
To use the new registry setting in a wireless network, follow these steps:

1. Open Registry Editor. To do this, click Start

Collapse this imageExpand this image

clip_image001

, type regedit in the Start Search box, and then press ENTER.

2. Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wlansvc

3. Point to New, and then click DWORD Value.

4. Type BlockTime, and then press ENTER.

5. Right-click BlockTime, and then click Modify.

6. Click Decimal under Base.

7. In the Value data box, type an appropriate value for the blocking period, and then click OK. The value that you specify for this registry entry represents the number of minutes that the system waits before it retries a failed authentication. The default value is 20 and the valid range is 1 - 60. If you set this key to 0, it will not apply at all.

Exit Registry Editor.

Setting the value to something smallish, like say, 2.

Hope this helps you in your deployments!

Jeff, Carl and Yong

Comments
  • ty

  • Jeff,

    I had installed this hotfix and created registry entry for Block time (1 minute) in a windows 7 domain PC.

    But the behaviour did not change, the block time remained 20 minutes.

    I also have installed the hotfix KB980295 but it also did not change the block time behaviour.

    Wired 802.1x policy is configured through Group Policy.

    Group policy Object settings does not show up "Enable Block time" option.

    Please advice on how to resolve this issue and reduce block time to 1 minute

  • If the steps above don't resolve your issue Raj I can only suggest to contact support, something else is amiss here.

  • Try

    netsh lan set blockperiod value=0

    No need to modify registry

    Worked for me

  • The PC is in domain and the dot1x profile is  set by Group policy.

    When entering the "netsh lan set blockperiod value=0", access denied error message is displayed.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment