Network Access Control

Hi, got a weird problem here when we are trying to setup with windows 7.

Our environment has been running win XP, SEP + SNAC with LAN enforcer setup for a year now. Everything has been fine so far. Users are getting the correct IP address range.

When we tried to setup a computer with windows 7 with the same setup, we got a problem.

when the computer starts up and a user login with the domain credentials, the user is able to login, but not able to get a valid IP address.

Right-clicking on the SEP icon to Re-Authenticate does not help, and there is no "green dot" on the SEP taskbar icon as well.

In this state, when the LAN cable is un-plug, and re-insert again, we would see the balloon prompt from the SEP taskbar icon indicating that "802.1X authentication is successful", and we will get a valid IP address immediately.

Once the computer is rebooted, we will need to go through this process of un-plugging / plug-in over again.

Is there any recommendation to what i can try to resolve this?

Running on SEP 11.0.6000.550

Thanks and Regards,

Hans

Not sure if this applies to your issue, but take a look.

802.1x wireless clients with Windows 7 and Vista are blocked by the Lan Enforcer with the error message "Because Host Integrity check is UNAVAILABLE, profile check is UNAVAILABLE and EAP auth is PASSED."

http://www.symantec.com/business/support/index?page=content&id=TECH97465&actp=search&viewlocale=en_US&searchid=1291216717955

Best,

Thomas

Hi Thomas,

Thanks for the suggestion. I've checked the policy settings, its already set as what was in the solution.

The situation occurs in the wired LAN setting. we did not apply NAC enforcement in the wireless environment.

I've found something from the release notes from SNAC V11 RU6, not sure if it is related to my current problem.

Symantec Network Access Control client can delay DHCP server authentication after hibernation If a Symantec Network Access Control client resumes after hibernation, there may be a delay in obtaining DHCP server authentication. This situation occurs because the client should request a new IP address. Instead, the client continues to request the current IP address.  [2011533] 

Regards,

Hans

Hello,

This is known issue on the RU6 and before try to upgrade your appliance,clients and sep manager to RU6 mp2.

Regards,

Oykun

Hi,

Just tried upgrading to the latest 11.0.6200 (11.0.6 MP2) last night for SEPM, SNAC, LAN Enforcer.

Windows 7 clients still experiencing the same issues during login.

Just read an article from windows support. (KB 980295) http://support.microsoft.com/kb/980295

Not sure if it has anything related to this.

I've tested the patch from the KB, but doesn't seem to improve the situation.

I'm currently testing with a test group with host integrity check disabled. Problem seems to be on the 802.1x portion.

Regards,

Hans

Need to check with you guys on the windows client's 802.1x authentication method. which is the reccommended for use with SNAC?

Under Wired network Policy properties, Authentication Mode,

"Computer only", "User authentication", or "User re-authentication".

It was set to "User authentication" previously, and it worked for windows xp sp3 clients, but not on windows 7 clients.

When we switched to "User re-authentication" it works with windows 7 client.

We are currently testing on the different authentication modes and verifying on windows xp and windows 7 client. Not sure if it would trigger other issues on the network access.

Regards,

Hans