List of IEEE 802.1x hotfixes for Windows 7

February 16, 2013

Most companies which want to enable 802.1x for their wired network run Windows 7 SP1. After activating 802.1x you’ll run into various problems with your Windows 7 boxes. It will work fine in lap tests but it will fail in the real world. Why is that? Because there are many 802.1x bugs in it.

Normally I blog about Linux, networking and security and not Windows related stuff. I’m not an Windows expert but I needed to get it authenticated with my network so needed to look into the matter. I hope it helps other networks guys. I’m working for over 8 month (no not all the time 😉 ) now to get Windows 7 SP1 100% of the time working with 802.1x. Its working 99% of the time, but there are still errors (under rare and special condition) that occur. ;-(

At the time of writing this list I didn’t find any other site that lists the available hotfixes, so I though I start a list. And the description texts from Microsoft to these hotfixes are sometimes brain dead.  Anyway some entries are the result of working with the Microsoft Premier Support on cases. If you’ll find any other hotfix, fixit, … please let me know.

ps: We’re using EAP-TLS so I can only write about patches I needed for it.

  1. KB2481614
    If you’re configuring your 802.1x settings via Group Policy you’ll see sometimes EAP-PEAP request from clients in your radius server log during booting even if you’ll set EAP-TLS. This error happened in our case with 1/3 of the boots with some models. The error is caused by a timing problem during startup. Sometimes the 802.1x is faster and sometimes the Group Policy is, and if the 802.1x is faster than the default configuration is taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
  2. KB980295
    If an initial 802.1x authentication is passed, but a re-authentication fails, Windows 7 will ignore all later 802.1x requests. This hotfix should also fix a problem with computers waking up from sleep or hibernation – but we’ve disabled these features so I can’t comment on them.
  3. KB976373
    This hotfix is called “A computer that is connected to an IEEE 802.1x-authenticated network via another 802.1x enabled device does not connect to the correct network”. I can’t comment on this, as we’ve not deployed 802.1x for our VoIP phones at this point. But it solves one other problem, which is described here. The Windows Vista hotfix for the same problem, linked in the article (There is a third hotfix related but not linked in the article, its for XP – so it seems the problem is through the whole product line), states that if an error occurs Windows is normally hard-coded to ignore EAPOL packets for 20min. I would guess it is the same for Windows 7 too. The linked article tells you to install the patch and set some registry key to lower the value.
  4. KB2769121
    A short time ago I found this one: “802.1X authentication fails on a Windows 7-based or Windows 2008 R2-based computer that has multiple certificates”. At time of writing I’m not sure if it helps for something in my setup. According to the symptoms list of the hotfix, it does not, but maybe it helps for something else, as the one before does.
  5. KB2736878
    An other error during booting – this time it happens if the read process starts before the network adapter is initialized. Really seems that they wanted to get faster boot times, no matter the costs.
  6. KB2494172
    This hotfix fixes a problem if you’ve installed a valid and invalid certificate for 802.1x authentication. The workaround is just deleting the invalid certificate. I’m not sure at this point if it affects also wired authentication.
  7. KB976210
    This problem occurs only during automated build processes and if you use an EAP method which needs user interaction – as I don’t do that I can’t comment on this hotfix.

So far this is my list – with the list you should get running Windows 7 and 802.1x nicely, but it is not perfect – Do you know any other patches or workarounds?

 

8 Comments »

RSS feed for comments on this post. TrackBack URI

  1. Hi! Maybe you can help? The problem here is that upon enabling IEEE 802.1 X we get a blue? instead of the switch icon in the network connections map. We have a FIOS gateway router, windows 7, and a HP pavilion computer. Can you tell me why this is happening and what to do about it?
    Thanks!

    Comment by rhonda oliver — April 10, 2013 #

  2. […] List of IEEE 802.1x hotfixes for Windows 7 […]

    Pingback by List of IEEE 802.1x hotfixes for Windows 7 - Security Informant — June 6, 2013 #

  3. KB2736878

    Comment by Jose Ramon — July 5, 2013 #

  4. So I cant tell if my issue is related to KB2494172 or not. I have a Wired 8021.x deployment using TLS machine authentication on Widows 7 with the necessary certs (FreeRadius generated), the root CA exists in the Local Computer -> Trusted Root Certification store, and the Client cert exists in the Local Computer -> Personal store. Both certs are valid and 8021.x works perfectly fine. However, when there is another valid cert in in the Local Computer -> Personal store with a name starting with a higher letter (D higher than L in the alphabet) than the radius client cert, then that cert (with the higher letter) will get sent to the radius server and will not authenticate properly. Some of these other valid certs are needed so I’m not sure if there is a fix for this. Any help would be greatly appreciated.

    Thanks,

    JQ

    Comment by JQ — December 17, 2013 #

  5. Take a look at http://support.microsoft.com/kb/2769121, witch talks about multiple certs.

    Comment by robert — January 2, 2014 #

  6. Yeah I’ve tried KB2769121 but to no avail, 🙁

    Comment by JQ — January 14, 2014 #

  7. Thanks for your list. Very usefull. Please consider these too.
    KB2710995
    KB2491809
    KB2835595

    Comment by Roger Base — September 23, 2014 #

  8. I’m having the same issue as JQ (Win 7 supplicants with multiple certs fail authentication). In my case supplicants only use one certificate, which is the incorrect one in my case. Also it is using the cert that was installed last.

    Comment by BlueBird — July 15, 2015 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 74 queries. 0.222 seconds.