20 minute delay deploying Windows 7 on 802.1x? Fix it here!

Someone mentioned to me that he has a 20 minute delay deploying Windows 7 to 801.1x EAP networks.  They noted http://support.microsoft.com/kb/978152 which is “A Windows Vista-based or Windows Server 2008-based computer does not respond to 802.1X authentication requests for 20 minutes after a failed authentication”.

 

But didn’t see a fix similar for Windows 7.  So, what do they do?  They ask PFE of course!  I got together with Yong Rhee and Carl Luberti and we kicked the tires a few and found that to fix this you need to likely do two things:

1)  Apply http://support.microsoft.com/?id=976373 which is “A computer that is connected to an IEEE 802.1x-authenticated network via another 802.1x enabled device does not connect to the correct network” and then add the registry key to modify the timeout value:

For wired networks
To use the new registry setting in a wired network, follow these steps:

1. Open Registry Editor. To do this, click Start

Collapse this imageExpand this image

clip_image001

, type regedit in the Start Search box, and then press ENTER.

2. Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc

3. Point to New, and then click DWORD Value.

4. Type BlockTime, and then press ENTER.

5. Right-click BlockTime, and then click Modify.

6. Click Decimal under Base.

7. In the Value data box, type an appropriate value for the blocking period, and then click OK. The value that you specify for this registry entry represents the number of minutes that the system waits before it retries a failed authentication. The default value is 20 and the valid range is 1 – 60. If you set this key to 0, it will not apply at all.

8. Exit Registry Editor.

For wireless networks
To use the new registry setting in a wireless network, follow these steps:

1. Open Registry Editor. To do this, click Start

Collapse this imageExpand this image

clip_image001

, type regedit in the Start Search box, and then press ENTER.

2. Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wlansvc

3. Point to New, and then click DWORD Value.

4. Type BlockTime, and then press ENTER.

5. Right-click BlockTime, and then click Modify.

6. Click Decimal under Base.

7. In the Value data box, type an appropriate value for the blocking period, and then click OK. The value that you specify for this registry entry represents the number of minutes that the system waits before it retries a failed authentication. The default value is 20 and the valid range is 1 – 60. If you set this key to 0, it will not apply at all.

Exit Registry Editor.

Setting the value to something smallish, like say, 2.

Hope this helps you in your deployments!

Jeff, Carl and Yong

12 Comments

  1. Jeff,

    I had installed this hotfix and created registry entry for Block time (1 minute) in a windows 7 domain PC.

    But the behaviour did not change, the block time remained 20 minutes.

    I also have installed the hotfix KB980295 but it also did not change the block time behaviour.

    Wired 802.1x policy is configured through Group Policy.

    Group policy Object settings does not show up "Enable Block time" option.

    Please advice on how to resolve this issue and reduce block time to 1 minute

  2. The PC is in domain and the dot1x profile is  set by Group policy.

    When entering the "netsh lan set blockperiod value=0", access denied error message is displayed.

  3. C:>netsh lan set blockperiod value=0

    Error from function "Dot3SetAutoConfigParameter":
    Access is denied.

    You do not have sufficient privileges or group policy has been applied.

    C:>netsh lan set blockperiod value=1

    Error from function "Dot3SetAutoConfigParameter":
    Access is denied.

    You do not have sufficient privileges or group policy has been applied.

  4. Microsoft support engineer told me the valid range is 1 – 60 minutes, and that if you set the value to 0, then the block timer will keep the default value of 20 minutes. Has anyone found conclusive evidence that block timer can be set to 0?

  5. Is there any reason not to set it to 1 minute? I know if there is an 802.1x failure it will send out packets every minute, but that’s Ok.
    20 minutes is way too long…

Leave a Reply