Microsoft KB Archive/931856

= A Windows XP-based wired client computer will not obtain a valid IP address from a guest VLAN or from an &quot;Authentication failed-VLAN&quot; =

Article ID: 931856

Article Last Modified on 3/7/2007

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
Consider the following scenario:
 * A Microsoft Windows XP-based wired client computer uses the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication configuration.
 * IEEE 802.1X authentication is enabled on the client computer.
 * The client computer does not have a valid certificate for 802.1X authentication.

In this scenario, the client computer will not obtain a valid IP address from a guest Virtual Local Area Network (VLAN) or from an &quot;Authentication failed-VLAN&quot;. (&quot;Authentication failed-VLAN&quot; is a Cisco feature.)



CAUSE
This problem occurs because the client computer that uses 802.1X authentication will not respond to the EAP request identity packets that the Ethernet switch sends. The client computer does not respond because it does not have a valid certificate. Therefore, the client computer sends an EAP over LAN (EAPOL) start frame and does not respond to the EAP request identity packet.



RESOLUTION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this problem, follow these steps:  Create the SupplicantMode registry entry and set its value to 1. Then, the Windows XP client computer does not send an EAPOL start frame. To do this, follow these steps:  Click Start, click Run, type regedit, and then click OK. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global

 On the Edit menu, point to New, and then click DWORD Value. Type SupplicantMode, and then press ENTER. On the Edit menu, click Modify.</li> Type 1 in the Value data box, and then click OK.</li> Exit Registry Editor.</li></ol> </li> Use PEAP-MSCHAPv2 as the 802.1X authentication mechanism. In this scenario, the client computer will always respond to EAP request identity frames if you do not change the default configuration.</li> Use the default settings in which the SupplicantMode registry entry is not present, and change the Ethernet switch settings to a value of 1 for the following settings: <ul> Minimum EAPOL time-out value</li> EAP retry amount</li></ul> </li> Change the Ethernet switch VLAN setup. Use one default VLAN, and then use one or more VLANs for 802.1X authenticated computers and users.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
The following table describes the SupplicantMode registry entry for values from 0 through 3.

The SupplicantMode registry entry is also explained in the &quot;Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows&quot; article. To download this article, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?familyid=05951071-6b20-4cef-9939-47c397ffd3dd&displaylang=en

Keywords: kbexpertiseadvanced kbtshoot KB931856

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.