Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
944
Views
0
Helpful
1
Replies

Machine Certificate with user PEAP Auth - known problems with Windows 7 built-in manager

Go to solution
Grendizer
Cisco Employee
Cisco Employee

‎04-21-2016 12:11 PM

Hi Team,

Customer is asking for a feedback on known problems with Win7  built-in manager to manage wireless Auth (Machine Certificate with user PEAP Auth) the network details below:

Windows 7 without AnyConnect and depend on the Win 7 built-in manager

ISE 2.0

WLC 8.1.131.0

I helped the customer to configure this and we did sleep, hibernate, restart, remove the client from ISE and WLC and all the tests were successful BUT when the customer left the Win7 laptop for a few hours and came back he had to logoff and login again to kick off the machine certificate auth because it didn’t happen automatically. The customer called TAC and TAC told him that is known issue with Windows if the OS try to manage the wireless connection and the TAC recommend to install AnyConnect on all PCs or extending the idle timeout for that specific WLAN from the WLC.

Could you please share your thoughts on this.

Thanks,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎04-22-2016 03:11 PM

Yes, AnyConnect's 802.1X module is meant to handle the authentication-after-sleep scenario. Microsoft native supplicants are notorious for these scenarios. If AnyConnect is not an option, I would suggest they search Microsoft's Knowledgebase for things like this and patch appropriately:

No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2

Scenario 2

You resume the operating system from sleep or from hibernation. The operating system does not respond to the 802.1X reauthentication requests if the authentication instance has a UI request. Therefore, the authentication attempt fails because of a time-out.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
thomas
Cisco Employee
Cisco Employee

‎04-22-2016 03:11 PM

Yes, AnyConnect's 802.1X module is meant to handle the authentication-after-sleep scenario. Microsoft native supplicants are notorious for these scenarios. If AnyConnect is not an option, I would suggest they search Microsoft's Knowledgebase for things like this and patch appropriately:

No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2

Scenario 2

You resume the operating system from sleep or from hibernation. The operating system does not respond to the 802.1X reauthentication requests if the authentication instance has a UI request. Therefore, the authentication attempt fails because of a time-out.

0 Helpful
Customers Also Viewed These Support Documents