Microsoft KB Archive/838423

= Unauthorized users can briefly authenticate when you use the 802.1x protocol =

PSS ID Number: 838423

Article Last Modified on 4/13/2004

-

The information in this article applies to:


 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, 64-Bit Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows XP 64-Bit Edition Version 2003
 * Microsoft Windows XP 64-Bit Edition Version 2002 SP1
 * Microsoft Windows XP 64-Bit Edition Version 2002
 * Microsoft Windows XP Professional SP1
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows 2000 Professional SP3
 * Microsoft Windows 2000 Server SP3
 * Microsoft Windows 2000 Advanced Server SP3

-





SYMPTOMS
When you use the Institute of Electrical and Electronics Engineers (IEEE) 802.1x protocol to help protect a wireless or a wired connection, the connection is authenticated for several minutes even if you are not authorized to use the connection.



CAUSE
This behavior occurs because the IEE 802.1x protocol-based client computer authenticates the connection until the user credentials are verified. When an unauthorized user tries to use the connection, the user authentication fails. The computer retries the authentication three times at an interval of 60 seconds. When the third try fails, the connection is unauthorized. Therefore, it may take several minutes to retract the authorization of the connection.

Note The 802.1x protocol standard has not defined a logoff command. Only the logon command is defined. Some verification retries are required because a logon command may fail because of problems at the physical layer. This behavior is a result of the design of the 802.1x protocol.



WORKAROUND
To work around this behavior, follow these steps:
 * 1) Click Start, point to Settings, and then click Control Panel.
 * 2) Double-click Network Connections, right-click the wireless connection, and then click Properties.
 * 3) Click the Authentication tab, and then click to clear the Authenticate as computer when computer information is available check box.
 * 4) Click OK.

Note If you click to clear the Authenticate as computer when computer information is available check box, you may lose other functions like computer-based group policies that can help enhance system security.



MORE INFORMATION
By default, the 802.1x client computer performs the following authentication methods:
 * Computer authentication when users are not logged on
 * User authentication when users log on
 * Computer authentication when users log off

This authentication makes sure that network access leverages user account credentials where it can for accountability, while the authentication still makes sure those Windows features that require network access work correctly.

The following features require computer authentication:
 * Active Directory directory service computer Group Policy
 * Network logon scripts
 * Systems management agents
 * Remote Desktop Connection
 * Shared folder

For more information about the Microsoft 802.1x Authentication Client, visit the following Microsoft Web site:

http://www.microsoft.com/technet/community/columns/cableguy/cg1202.mspx

Keywords: kbnetwork kbwinservnetwork kbprb KB838423

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbWin2000AdvServSP3 kbwin2000Pro kbwin2000ProSearch kbWin2000ProSP3 kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbwin2000ServSP3 kbWinAdvServSearch kbWinServ2003Data kbWinServ2003Data64bit kbWinServ2003Data64bitSearch kbWinServ2003DataSearch kbWinServ2003Ent kbWinServ2003Ent64bit kbWinServ2003Ent64bitSearch kbWinServ2003EntSearch kbWinServ2003Search kbWinServ2003St kbWinServ2003Web kbWinXPPro kbWinXPPro64bit kbWinXPPro64bit2002 kbWinXPPro64bit2002Search kbWinXPPro64bit2002SP1 kbWinXPPro64bit2003 kbWinXPPro64bit2003Search kbWinXPPro64bitSearch kbWinXPProSearch kbWinXPProSP1 kbWinXPSearch kbWinXPTabPC

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.