February 15, 2014
If you as I need to get some traffic from a Mikrotik router and
/tool sniffer quick doesn’t cut it, as you need not just the headers the best way is stream the traffic to the a Linux box. The Mikrotik configuration is easy, just set the server you want to stream to:
/tool sniffer set streaming-enabled=yes streaming-server=<ip_of_the_server>
Configure a filter as you don’t want to stream everything:
/tool sniffer set filter-ip-address=<an_example_filter_ip>
and now you need only to start it with
/tool sniffer start
and check with
/tool sniffer print
if everything is running.
But now comes the part that is not documented that well. Searching through the internet I found some posts/articles on how to use Wireshark for capturing, but that does not work correctly – at least not for me.
If you configure the capture filter to udp port 37008 to get everything the router sends via TZSP you will see following lines
If you now set the display filter to show only TZSP these packets are not displayed any more. This packets contain information we need and I was not able to configure Wireshark 1.10.2 to work correctly. If you know how to get it to work, please write a comment. I changed my approach to use an other program to write the packets to disk and look at them later with Wireshark. And I found a program from Mikrotik directly which does that. Go to the download page and download Trafr and extract and use it like this:
$ tar xzf trafr.tgz
usage: trafr <file | -s> [ip_addr]
-s write output to stdout. pipe it into tcpdump for example:
./trafr -s | /usr/sbin/tcpdump -r -
ip_addr use to filter one source router by ip address
$ ./trafr test.pcap <ip_of_the_router>
After you stopped the program you can open the file in Wireshark and no packets are missing.
January 12, 2014
Last week we at work got a mail from CERT.at that 2 IP addresses in our AS where probably running misconfigured NTP Servers, which can be abused for DDoS attacks via NTP Reflection. But first we need to start with the background.
In the last weeks multiple DDoS attacks were using NTP Reflection. The attackers are making use of the monlist commands, which is enabled on older versions of the NTP daemon. With that command it is possible to get a list of up to the last 600 hosts / ip address which connected to the NTP daemon. As NTP is UDP based, an attacker fakes its source IP address and the answer packet from the NTP daemon is send to the victim. Beside hiding the attackers IP addresses to the victim it amplifies the attack as the request packet is much smaller than the answer packet. The other problem with this monlist command is, that it releases potential sensitive information (the IP address of the clients using NTP)
How to verify you’re vulnerable?
First you need to find your NTP servers – and thats not so easy as it seams. E.g. our 2 reported NTP servers where not our official NTP servers … but more about that later. To find NTP Servers which are reachable from the Internet use e.g. nmap in a way like this:
sudo nmap -p 123 -sV -sU -sC -P0 <your_network/subnet_mask>
This will return for a linux ntp server something like this
Nmap scan report for xxxxx (xxxxxxxx)
Host is up (0.00016s latency).
PORT STATE SERVICE VERSION
123/udp open ntp NTP v4
| receive time stamp: 2014-01-12T11:02:30
| version: ntpd [email protected] Wed Nov 24 19:02:17 UTC 2010 (1)
| processor: x86_64
| system: Linux/2.6.32-358.18.1.el6.x86_64
| leap: 0
| stratum: 3
| precision: -24
| rootdelay: 20.807
| rootdispersion: 71.722
| peer: 56121
| refid: 220.127.116.11
| reftime: 0xd67cedcd.b514b142
| poll: 10
| clock: 0xd67cf4be.9a6959a7
| state: 4
| offset: 0.042
| frequency: -3.192
| jitter: 0.847
| noise: 1.548
| stability: 0.163
|_ tai: 0
But you may find also something like this
Nmap scan report for xxxxx
Host is up (0.00017s latency).
PORT STATE SERVICE VERSION
123/udp open ntp NTP v4
|_ receive time stamp: 2014-01-12T11:02:55
from a system you had not on the list. After this deactivate and/or filter the services you don’t need – a running service which is not needed is always a bad idea. But surely you also want to know how to probe the NTP daemon for the monlist command – just like this:
ntpdc -n -c monlist <ip_address>
If the daemon is vulnerable you’ll get a list of ip address which connected to the daemon. If the NTP daemon is running on a Linux, Cisco or Juniper System take look at this page which describes how to configure it correctly.
But I guess you’re curious, which systems where running on the 2 ip addresses we got reported? They where Alcatel Lucent Switches which have the NTP daemon activated by default it seams. So its really important to check all your IP addresses not only the known NTP Servers.
January 5, 2014
As hopefully many of my readers have already heard/read multiple consumer routers contain a backdoor, which allows the attacker to get the configuration of the router, which also contains the administrator password. I won’t rewrite here everything big IT news sites have already written. Here just the basics to get you up to speed if you didn’t hear it before:
- Eloi Vanderbeken found on his Linksys router WAG200G a process what was listening on TCP port 32764. After analyzing the code he figured out that it was possible to extract the configuration from the router over this process without knowing the password. The configuration contains also the password.
- After hey posted the information to the net, other users stepped forward and told him that other manufactures and models have the same backdoor. Don’t say “conspiracy theory” now.
- On some routers the process is “only” listening on the internal network (which is also attackable over the users browser) but some are also reachable on the Internet. Scanning for this in the internet is easy with zmap .. only 45min for the whole IPv4 Internet address space.
- Click here to get the current list of affected routers – its a long list containing vendors like Cisco, Linksys, Netgear, Diamond, LevelOne
- To verify if your router is also affected download this Python Script (Linux has normally Python preinstalled on Windows you need to install it). And call it like this:
python poc.py --ip <IP-Address of your router>. If it found something you can extract the configuration by adding
--print_confto the command line.
- To check if the process is also reachable from the Internet use a Website like this.
Possible workarounds to get the hole fixed fast:
- On some routers you can configure a local firewall which allows you to block the Port 32764. Depending on your router this is possible for the Internet interface and/or the internal interface.
- Install a OpenSource software like OpenWRT.
- Install the new firmware release of your vendor when and if it is released … I wouldn’t wait for this.
December 24, 2013
Today I was talking with some friends about the possibility to make a DOS attack against an IPv6 router/switch if I was in the same /64 subnet by simply sending IPv6 NDP Packets to fill the neighbour cache on the router. But the question I was thinking than about was how many packets can I send e.g. over an 1Gbit link per second? How many entries will the neighbour cache need to hold if the timeout is e.g. set to 120 sec? How long would it take to scan the whole /64? So I sat down and looked at the questions.
How man packets can I send in one direction send over an 1Gbit Ethernet link?
The amount of packets which can be sent over a link depends on the size of the packets. The smallest ones used for calculation are 64byte in the IP world. We need to put that into a Ethernet frame which adds up to 84 octets Details can be found here. Which leads to following formula:
1000MbitPerSec / 8 Bits / 84 OctetsPerFrame= 1.488.095 FramesPerSec
As only one packet can be in a frame we can send 1.488.095 packets per second (often called: pps), which is also often called line speed or wire speed. The calculation is true for pure Ethernet, but I changes if you use VLAN Tags, QinQ or MPLS … in these cases take a look at this article.
How many entries will the neighbour cache need to hold if the timeout is e.g. 120 sec?
So now we know how many packets a can send at most and forget that we need some additional bytes for the NDP, which makes it easy to set the limit for the neigbour cache of our router.
1.488.095 PacketsPerSecond * 120 SecondsTimeout = 178571400 entries = 178 Million Entries
Lets say that this is only a RAM problem and everything else would work. Each entry contains a least the IP address and the MAC address. (There would be an optimization possible in only to store the host part of the IP address). An IPv6 address has 128bit = 16byte and the MAC address has 48bit = 6byte which leads to a total of 22byte per entry. A router needs 3,6Gbyte of RAM to store this table … not impossible but not common also.
How long would it take to scan the whole /64?
And as bonus question we talk on how long it would take to scan that many IP addresses. First we need to get the amount of IP addresses a /64 can hold.
2^64 = 18.446.744.073.709.551.616 = 1,844674407×10¹⁹ IP Addresses
We know that we can scan 1.488.095 IP addresses per second which leads to
1,844674407×10¹⁹IPaddresses / 1488095 packetsPerSec / 60/ 60 / 24 / 365 = 393081 years
Ok not practical. But wait … we need only to scan for /48 IP addresses as the host part is derived from the MAC … this makes only 2,814749767×10¹⁴ IP addresses
2,814749767×10¹⁴IPaddreses / 1488095 packetsPerSec / 60/ 60 / 24 / 365 = 6 years
Much smaller but still too long for my spare time.
September 28, 2013
I just had to find out the external IP address (as seen from the Internet) of a Linux server which is behind a NAT router. The normal way to goto WhatsMyIP didn’t work as I was only connected via SSH to this server. But the solution is quite easy thanks to the guys from ipecho, just type:
wget http://ipecho.net/plain -O - -q ; echo
Thats so easy! And even faster than using a browser in the first way …..
August 29, 2013
You’ve just completed your QoS system, which is based on DSCP for classifying and managing network traffic? Sure there are many sophisticated methods to validate your configuration, but there is also a really simple one which you can do from every Windows or Linux PC as a first check.
And you won’t believe it – the program is called
ping. On Linux use the option
-Q to set the DSCP value of the packets. From the manual:
-Q tos Set Quality of Service -related bits in ICMP datagrams. tos can be either decimal or hex number. Traditionally (RFC1349), these have been interpreted as: 0 for reserved (currently being redefined as congestion control), 1-4 for Type of Service and 5-7 for Precedence. Possible settings for Type of Service are: minimal cost: 0x02, reliability: 0x04, throughput: 0x08, low delay: 0x10. Multiple TOS bits should not be set simultaneously. Possible settings for special Precedence range from priority (0x20) to net control (0xe0). You must be root (CAP_NET_ADMIN capability) to use Critical or higher precedence value. You cannot set bit 0x01 (reserved) unless ECN has been enabled in the kernel. In RFC2474, these fields has been redefined as 8-bit Differentiated Services (DS), consisting of: bits 0-1 of separate data (ECN will be used, here), and bits 2-7 of Differentiated Services Codepoint (DSCP).
On Windows the same is achieved with
In both cases you need to provide the Type of Service (TOS) byte. While this is not the wished DSCP value, the ToS byte (or 8-bits) encompasses DSCP. DSCP only uses the first 6 bits of the ToS byte and ignores bits 7 and 8. You’re asking ??hey??
There is a quite easy way to get from one to the other: DSCP * 4 = TOS, or you can use following table.
Most VoIP systems use AF31(DSCP 26) for signaling (e.g. SIP) and EF (DSCP 46) for voice/media (e.g. RTP). This means for testing we use
ping -Q 104 <ip_address> # for DSCP 26
ping -Q 184 <ip_address> # for DSCP 46
After calling these commands you can easily check your counters if the increment correctly. After this put some load on the connection/link e.g. with FTP or SCP and let the ping run, it should be stable and with a low latency. If not the VoIP stuff with also not work.
This quick test can also help you by an other problem. You need to deploy a system which relies on the fact that the DSCP value in not being stripped away in transit. For this you use the above command and let Wireshark run.
First you need to add the DSCP colum. Just select a packet and then select the DSCP header and use the right mouse button to get to the “Apply as Column” menu entry.
After this you can just look at the DSCP values. If they travel across the network everything is Ok.
April 27, 2013
I’ve found many articles about how to configure a Mikrotik RouterOS as DHCP relay or as simple DHCP server, but I didn’t find an article about following setup:
- central Mikrotik DHCP Server (e.g. in the data center)
- multiple VLANs/subnets for clients which are connected via a Layer3 Switch (or even more hops) to the central data center
According to the Mikrotik Wiki and the described options it is possible but there is no example shown and everyone uses the setup wizard to configure a DHCP Server. I’ll get most people don’t know what happens in the background … I’ll show this the old fashioned way.
Setup for this example/howto
For this example we assume that we’ve 4 VLANs with following subnets:
- 10.88.0.0/24 (data center VLAN for the servers and the DHCP server)
- 10.88.10.0/24 (clients network location 1)
- 10.88.11.0/24 (clients network location 2)
- 10.88.12.0/24 (clients network location 3)
The Mikrotik has the IP 10.88.0.100 and connected via ether1 to the data center VLAN. The Layer3 switches use always the .1 IP address in the clients networks.
Layer3 Switches / DHCP Relay
Most (if not all) switches which are able to perform at least simple layer 3 tasks (often also labeled as Layer2+ switches) are able to forward DHCP requests. Check the manual of the switch for this. One setting I came across sometimes leads to problems. It is called “DHCP Relay delay” and is sometimes set to 1 or 2 seconds in the the default configuration. This setting allows a local DHCP Server to answer faster, but sometimes (specially embedded clients) don’t wait that long and run into an error. If there is no local DHCP server set this timer to 0 seconds.
You’ll need to set the DHCP Server IP on the switch to the IP of the Mikrotik.
Mikrotik as DHCP Server
First we configure our pools of the client networks, the mikrotik will give out IPs from this ranges:
add name=poolClientsLocation1 ranges=10.88.10.10-10.88.10.250
add name=poolClientsLocation1 ranges=10.88.11.10-10.88.11.250
add name=poolClientsLocation1 ranges=10.88.12.10-10.88.12.250
Now we need to set the configuration the DHCP Server will handout the clients:
/ip dhcp-server network
add address=10.88.10.0/24 dns-server=10.88.0.100 gateway=10.88.10.1
add address=10.88.11.0/24 dns-server=10.88.0.100 gateway=10.88.11.1
add address=10.88.11.0/24 dns-server=10.88.0.100 gateway=10.88.12.1
And at last we configure which DHCP Relay gets which configuration/pool:
add address-pool=poolClientsLocation1 authoritative=yes disabled=no interface=ether1 lease-time=1w name=dhcpClientsLocation1 relay=10.88.10.1
add address-pool=poolClientsLocation2 authoritative=yes disabled=no interface=ether1 lease-time=1w name=dhcpClientsLocation2 relay=10.88.11.1
add address-pool=poolClientsLocation3 authoritative=yes disabled=no interface=ether1 lease-time=1w name=dhcpClientsLocation3 relay=10.88.12.1
This is all …
March 2, 2013
You want to try IPv6 but you’re provider doesn’t give you IPv6 addresses? If your router is a Mikrotik this howto will show you how to use an IPv6 tunnel brocker. This setup will also work for guys with a dynamic IP as most home users do.
Signup with an IPv6 tunnel broker
Go to this Wikipedia page for a list of IPv6 tunnel brokers. I’ve chosen the guys at Hurricane Electric as its free and works also with dynamic IP addresses. Other brokers which provide also 6in4 (in RouterOS called
/interface 6to4) which provide a method to update of your IP address via a web URL will work too. If you’ve a static IPv4 address the choosing gets even easier.
Following shows whats needs to be done if you use Hurricane Electric as tunnel broker. The tunnel broker wants to be able to ping your router via IPv4 … lets enable that (only if you disabled ping in the first place)
/ip firewall filter add chain=input icmp-options=8:0 protocol=icmp src-address=18.104.22.168
Move this rule to a place before the blocking rule. This rule is made in a way that it opens the least possible hole which is needed for the tunnel broker to work. Now go to the broker website and do following:
- Click on “Create Regular Tunnel”
- Under “IPv4 Endpoint (Your side):” enter your current IPv4 address
- Choose a server location, for better performance choose one thats not that far away from you.
- After Creating the Tunnel you’ll be shown a web page with following important information you’ll need later:
- Tunnel ID
- Server IPv4 Address
- Server IPv6 Address
- Client IPv4 Address
- Client IPv6 Address
- Routed /64
For the commands I’ll use “Tunnel ID” if you should use your Tunnel Id and so on.
Mikrotik Tunnel Setup
First make sure that you’ve the IPv6 package enabled -use following command:
[admin@mikrotik] > /system package print
Flags: X - disabled
# NAME VERSION SCHEDULED
0 X ipv6 6.0rc11
In this example it is not enabled, so we need to enable it and reboot.
[admin@mikrotik] > /system package enable ipv6
[admin@mikrotik] > /system reboot
Now it should look like this:
[admin@mikrotik] > /system package print
Flags: X - disabled
# NAME VERSION SCHEDULED
0 ipv6 6.0rc11
After this is done we can start configuring. First we need to create the tunnel endpoint on our side.
[admin@mikrotik] /ip firewall filter> /interface 6to4 add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=no local-address="Client IPv4 Address" mtu=1280 name=sit1 remote-address="Server IPv4 Address"
After that we need to tell the router this is his new default gateway.
[admin@mikrotik] /ip firewall filter> /ipv6 route add dst-address=2000::/3 gateway="Server IPv6 Address"
And of course we need also an IPv6 address.
[admin@mikrotik] /ip firewall filter> /ipv6 address add address="Client IPv6 Address"/64 advertise=yes eui-64=no interface=sit1
Now we can test our setup the first time. Lets check if the router is able to ping an IPv6 address in the Internet … we use for this the Google DNS servers.
[admin@mikrotik] > ping 2001:4860:4860::8844
HOST SIZE TTL TIME STATUS
2001:4860:4860::8844 56 58 36ms echo reply
2001:4860:4860::8844 56 58 35ms echo reply
2001:4860:4860::8844 56 58 46ms echo reply
sent=3 received=3 packet-loss=0% min-rtt=35ms avg-rtt=39ms max-rtt=46ms
If this does not work .. try to ping “Server IPv6 Address”. If this does work you got something wrong which the default gateway. If this also does not work .. check your tunnel setup and your IPv6 address.
Mikrotik Setup for the Clients
Now we got it working for the Mikrotik but it would be even better to have IPv6 for the clients. To achieve this we need to configure an IPv6 address on the LAN interface and enable
the advertisement to the clients. Take the “Routed /64″ address and add an 1 between the :: and the “/” – this give you the first IP address in the routed subnet.
This leads to following command:
/ipv6 address add interface="your LAN interface" address="IP address in your routed IPv6 subnet" advertise=yes
Now wait a little bit (some minutes) and check if your client operation system got an IPv6 address from the routed subnet. I’ll show it here on an Ubuntu 12.04:
eth0 Link encap:Ethernet HWaddr 00:xx:xx:xx:xx:xx
inet addr:10.xx.xx.xx Bcast:10.xx.xx.xx Mask:255.255.255.0
inet6 addr: 2001:470:xxx:xxx:xxx:xxx:xxx:xxx/64 Scope:Global
inet6 addr: 2001:470:xxx:xxx:xxx:xxx:xxx:xxx/64 Scope:Global
inet6 addr: fe80::xxx:xxx:xxx:xxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5733100 errors:0 dropped:0 overruns:0 frame:0
TX packets:4191113 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:4271914251 (4.2 GB) TX bytes:841997928 (841.9 MB)
You’ll see 3 IPv6 addresses, which are used for following:
- Scope: Link: Only used for communication within the local VLAN … is always there if IPv6 is enabled on the client
- Scope:Global: The second one has the MAC address of this interface in it. This is already a worldwide IP address, but it will tell everyone your MAC address .. which is not that good. So there is the first global one which uses a random part. This feature is called “privacy extension” and the IP is changed by the system after some time. If the privacy extension is activated this IP will be used for communicating.
If you’ve 2 or better 3 IPv6 addresses you can try to ping the Google DNS server:
$ ping6 2001:4860:4860::8844
PING 2001:4860:4860::8844(2001:4860:4860::8844) 56 data bytes
64 bytes from 2001:4860:4860::8844: icmp_seq=1 ttl=57 time=36.7 ms
64 bytes from 2001:4860:4860::8844: icmp_seq=2 ttl=57 time=39.6 ms
64 bytes from 2001:4860:4860::8844: icmp_seq=3 ttl=57 time=48.6 ms
64 bytes from 2001:4860:4860::8844: icmp_seq=4 ttl=57 time=55.3 ms
So this seems to work .. now we need to check if your DNS server reports IPv4 and IPv6 addresses back .. if this is not the case your need to configure your DNS correctly or change to an other server … e.g. the Google DNS Servers.
We’ll verify the correct working with following command:
$ host robert.penz.name
robert.penz.name has address 22.214.171.124
robert.penz.name has address 126.96.36.199
robert.penz.name has IPv6 address 2400:cb00:2048:1::6ca2:c652
robert.penz.name has IPv6 address 2400:cb00:2048:1::6ca2:c752
robert.penz.name mail is handled by 10 mail.penz.name.
This looks good … now you’ll only need to configure a firewall on your Mikrotik as you’re clients now have IPv6 address which can be reached worldwide. Your IPv4 firewall is not enough – you need to filter in
Mikrotik Setup for users with a dynamic IPv4 address
Now we need to make sure the tunnel broker knows our new IPv4 address after each change. For this Hurricane Electric’s provides a web URL which is described here. Thats nice as there are already some DynDNS update scripts available in the Mikrotik Wiki.
I’ve changed the 5.x one in following parts:
- “username”: Your Hurricane Electric’s username
- “password”: Your Hurricane Electric’s password
- “hostname”: Your “Tunnel ID”
- I’ve changed the
/tool fetchline by replacing
- And at last I added
/interface 6to4 set 0 local-address=$currentIPafter
:log info ("UpdateDynDNS: Dyndns Update Result: ".$result)line as we need also to change our local tunnel IP address.
Thats it .. call this script every few minutes and you’ll have IPv6 connectivity even after your IP address changes. I’ll hope this article gets others also in the IPv6 world.
February 24, 2013
A friend of mine got a new root server and asked me to help him set it up. And of course I helped and as he got a free IPv6 subnet I thought lets configure it. He is running Proxmox as his host system, which is based on Debian.So this guide is also true for Debian systems which have OpenVZ installed.
- You want to use IPv6 for the host system, you need to add at least following to
iface vmbr0 inet6 static
up ip -6 route add default via 2001:xxxxx:beef::1 dev vmbr0
down ip -6 route del default via 2001:xxxxx:beef::1 dev vmbr0
eth0if you’re not using Proxmox and only OpenVZ on Debian.
- The ISP my friend has the server located at uses a default gateway, which is not in his IPv6 subnet, you need therefore add a host route. Which is done be following 2 lines
up ip -6 route add 2001:4ba0:fff7:1:beef::1 dev vmbr0
down ip -6 route del 2001:4ba0:fff7:1:beef::1 dev vmbr0
- Restart the networking with:
- Test it with following:
ping6 2001:4860:4860::8888(Google IPv6 DNS Server)
- Add following to
/etc/sysctl.confand make sure it is not defined two times
# IPv6 Packet Forwarding and Proxy NDP
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.proxy_ndp = 1
net.ipv6.conf.all.proxy_ndp = 1
sysctl -pto activate it at once (so no reboot is required)
- Go to
/etc/vz/vz.confand make sure following is in there
- You currently can’t add an IPv6 address through the web GUI of Proxmox – so you need to use the CLI (replace with a IP adresse from your IPv6 range
vzctl set <VEID> --ipadd 2001:xxx:xxx::xxx --save
- restart the VE, and try the ping stuff from step 4 in the VE. (ps: It can take up to 5 pings before you get a response the first time.)
More is not needed … its quite easy!
ps: don’t forget to add an IPv6 DNS server, if it is a IPv6 only VE. This can currently not be done via Proxmox web GUI.
pps: iptables does not filter IPv6 .. you need ip6tables for this. don’t think that you’re secure, if you didn’t open anything with iptables.
February 16, 2013
Most companies which want to enable 802.1x for their wired network run Windows 7 SP1. After activating 802.1x you’ll run into various problems with your Windows 7 boxes. It will work fine in lap tests but it will fail in the real world. Why is that? Because there are many 802.1x bugs in it.
Normally I blog about Linux, networking and security and not Windows related stuff. I’m not an Windows expert but I needed to get it authenticated with my network so needed to look into the matter. I hope it helps other networks guys. I’m working for over 8 month (no not all the time ) now to get Windows 7 SP1 100% of the time working with 802.1x. Its working 99% of the time, but there are still errors (under rare and special condition) that occur. ;-(
At the time of writing this list I didn’t find any other site that lists the available hotfixes, so I though I start a list. And the description texts from Microsoft to these hotfixes are sometimes brain dead. Anyway some entries are the result of working with the Microsoft Premier Support on cases. If you’ll find any other hotfix, fixit, … please let me know.
ps: We’re using EAP-TLS so I can only write about patches I needed for it.
If you’re configuring your 802.1x settings via Group Policy you’ll see sometimes EAP-PEAP request from clients in your radius server log during booting even if you’ll set EAP-TLS. This error happened in our case with 1/3 of the boots with some models. The error is caused by a timing problem during startup. Sometimes the 802.1x is faster and sometimes the Group Policy is, and if the 802.1x is faster than the default configuration is taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
If an initial 802.1x authentication is passed, but a re-authentication fails, Windows 7 will ignore all later 802.1x requests. This hotfix should also fix a problem with computers waking up from sleep or hibernation – but we’ve disabled these features so I can’t comment on them.
This hotfix is called “A computer that is connected to an IEEE 802.1x-authenticated network via another 802.1x enabled device does not connect to the correct network”. I can’t comment on this, as we’ve not deployed 802.1x for our VoIP phones at this point. But it solves one other problem, which is described here. The Windows Vista hotfix for the same problem, linked in the article (There is a third hotfix related but not linked in the article, its for XP – so it seems the problem is through the whole product line), states that if an error occurs Windows is normally hard-coded to ignore EAPOL packets for 20min. I would guess it is the same for Windows 7 too. The linked article tells you to install the patch and set some registry key to lower the value.
A short time ago I found this one: “802.1X authentication fails on a Windows 7-based or Windows 2008 R2-based computer that has multiple certificates”. At time of writing I’m not sure if it helps for something in my setup. According to the symptoms list of the hotfix, it does not, but maybe it helps for something else, as the one before does.
An other error during booting – this time it happens if the read process starts before the network adapter is initialized. Really seems that they wanted to get faster boot times, no matter the costs.
This hotfix fixes a problem if you’ve installed a valid and invalid certificate for 802.1x authentication. The workaround is just deleting the invalid certificate. I’m not sure at this point if it affects also wired authentication.
This problem occurs only during automated build processes and if you use an EAP method which needs user interaction – as I don’t do that I can’t comment on this hotfix.
So far this is my list – with the list you should get running Windows 7 and 802.1x nicely, but it is not perfect – Do you know any other patches or workarounds?