Hello,

Since sometime, we have windows 7 PC authenticating with dot1x that lose network connectivity after being in sleep mode (switchport authentication status: Unauthorized). The problem is caused by the combination of the activity of the network card when the PC is in sleep, and the authentication process.

When the PC is in sleepmode, the network card continue to have some activity, and reply to ARP request (from the switch). Our authentication server is configured to drop / blacklist devices after serval attempts of unsuccessful authentications (see “Anormalous Client” on ISE). For this reason, the PC cannot authenticate on the authentication server anymore and cannot have access to the network.

You see in the capture here under a MAB tentative each 15 minutes which match the 15 minutes “Request Rejection Interval” on which the switch tries to see if the device now respond or if it will stay an “anomalous client” for another 15 minutes.

I can get connectivity again when I disconnect the cable from the network card, restart the PC, clear authentication, reconnect the network cable; then the PC is back on the network until the next sleep. Another way is to set the PC in a MAB list, but this is not manageable for more of 3000 devices.

(remark: some confidential details of the picture has been removed)

Another way to avoid this issue, is to disabling the power management of the network card.

Pc go in sleep mode, wakes up, and has directly back access to the network.

The problem with this workaround, is that the Wake—on-Lan feature is also disabled. As our customer use this feature, this solution was not applicable.

Then I found a solution :-)

The new Intel drivers have more power management options, and it’s possible to disable the response to ARP request.

This configuration allow to keep the power management and the Wake-on-lan feature active, and the authentication succeed after a power sleep:

The drivers is the Intel® Network Adapter Driver for Windows 7 - Version: 22.0.1 (Latest) Date: 2/13/2017

The drivers can be found on the following link:

https://downloadcenter.intel.com/downloads/eula/18713/Intel-Network-Adapter-Driver-for-Windows-7-?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F18713%2Feng%2FPROWinx64.exe

A restart of the PC is required.

The PC does not answer ARP request anymore, and dot1x authentication succeed when the PC is waken up.

The one failed authentication before each success is just the MAB that happens before user has time to authenticate.

(remark: some confidential details of the picture has been removed)

I hope this solution can help some people. I’m seeing some posts on forums with this issue, but I’ve never found my solution.

Some KB were deployed on these W7 Pc’s as per the following post (this post) : https://supportforums.cisco.com/blog/12256681/getting-past-intermittentunexplained-8021x-problems-windows-7, but this did not solve the issue.

This tips concern PC with Intel NIC drivers, and i hope that others vendors have a similar options in the drivers.

Please, let me known if this solution resolve your issue. For me, all my sleeping PC can now get network connectivity and are successful authenticated after being waken up.

Best regards,

Joël Vanderbiest

Do you have a similar article for Windows 10? Thanks

From my perspective, I believe that KB976373 is a dirty solution due to the fact that the ignoring period in EAP identity packets of 20 minutes could be changed. This means that the client begins 802.1X authentication more often (depending upon the duration of timer).