Client Management Suite

 View Only

  • 1.  802.1x client authentication

    Posted Dec 28, 2015 10:09 AM

    Hello to all,

    we started to test 802.1x in our enviroment using Windows 7 SP1 as supplicant with HP Procurve switches and Windows 2012 with NAPS feature as RADIUS.

    During test I noticed that clients hang during the logon phase and don't go further the Windows "Welcome" message (sometimes neither is possible to insert credentials after the ctrl+alt+canc), but if I check on the switch and on NAPS I can see the client status as authenticated. 

    I've already tried to install the following MS patches:

    https://support.microsoft.com/en-us/kb/980295

    https://support.microsoft.com/en-us/kb/2459530

    but I saw that they resolved the problem only temporally: the day after I've installed these patches I came back to experience the "hang" behavoiur.

    I tried also with this, but with no results:

    https://support.symantec.com/en_US/article.TECH200321.html

     

    Does someone know if I've to configure something on SEP (version 12.1.3001.165 on the most of our clients and version 12.1.6168.6000 on a few PCs for testing purpose).

    FYI we don't use SNAC and LAN Enforcer solutions.

    Thanks to all for help

    Marco

     

     

     

     



  • 2.  RE: 802.1x client authentication

    Posted Dec 28, 2015 12:24 PM

    Hi Marco,

    What components of SEP are you currently using? If you are using the firewall (part of the NTP component), please temporarily disable to see if that fixes your issue.

    If this worked, does anything show up in the Traffic log on one of the affected clients?

    Have a look at this article as well:

    Troubleshoot blocked network traffic due to the Endpoint Protection firewall

    The default SEP firewall policy has a rule to allow Wireless EAPOL.

    I'm under the assumption you have the SEP firewall enabled but if not then everything I mentioned above would not apply.



  • 3.  RE: 802.1x client authentication

    Posted Dec 29, 2015 04:51 AM

    Hi Brian,

    on our desktops we already use an "all traffic permitted rule", but we however experience the issue explained above.

    Notebooks have different FW configurations depending to the "location", but I think we can focus on desktops.

    FYI:

    We use the following components: AV and Spyware Protection, Proactive Threat Protection, Network Threat Protection (firewall, intrusion prevention and application-device control).

    Our aim is to configure only "wired" 802.1x cause we don't allow wireless connections.

     

    Marco



  • 4.  RE: 802.1x client authentication

    Posted Dec 29, 2015 09:19 AM

    Thanks Marco. Have you tested this with either SEP totally disabled or just the firewall component? I want to narrow it down here. If it's not SEP then maybe the patches...



  • 5.  RE: 802.1x client authentication

    Posted Dec 31, 2015 06:43 AM

    Hi Brian,

    we'll test it in the next days

    Marco