20 minute delay deploying Windows 7 on 802.1x? Fix it here!

Someone mentioned to me that he has a 20 minute delay deploying Windows 7 to 801.1x EAP networks.  They noted http://support.microsoft.com/kb/978152 which is “A Windows Vista-based or Windows Server 2008-based computer does not respond to 802.1X authentication requests for 20 minutes after a failed authentication”.

 

But didn’t see a fix similar for Windows 7.  So, what do they do?  They ask PFE of course!  I got together with Yong Rhee and Carl Luberti and we kicked the tires a few and found that to fix this you need to likely do two things:

1)  Apply http://support.microsoft.com/?id=976373 which is “A computer that is connected to an IEEE 802.1x-authenticated network via another 802.1x enabled device does not connect to the correct network” and then add the registry key to modify the timeout value:

For wired networks
To use the new registry setting in a wired network, follow these steps:

1. Open Registry Editor. To do this, click Start

Collapse this imageExpand this image

clip_image001

, type regedit in the Start Search box, and then press ENTER.

2. Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc

3. Point to New, and then click DWORD Value.

4. Type BlockTime, and then press ENTER.

5. Right-click BlockTime, and then click Modify.

6. Click Decimal under Base.

7. In the Value data box, type an appropriate value for the blocking period, and then click OK. The value that you specify for this registry entry represents the number of minutes that the system waits before it retries a failed authentication. The default value is 20 and the valid range is 1 - 60. If you set this key to 0, it will not apply at all.

8. Exit Registry Editor.

For wireless networks
To use the new registry setting in a wireless network, follow these steps:

1. Open Registry Editor. To do this, click Start

Collapse this imageExpand this image

clip_image001

, type regedit in the Start Search box, and then press ENTER.

2. Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wlansvc

3. Point to New, and then click DWORD Value.

4. Type BlockTime, and then press ENTER.

5. Right-click BlockTime, and then click Modify.

6. Click Decimal under Base.

7. In the Value data box, type an appropriate value for the blocking period, and then click OK. The value that you specify for this registry entry represents the number of minutes that the system waits before it retries a failed authentication. The default value is 20 and the valid range is 1 - 60. If you set this key to 0, it will not apply at all.

Exit Registry Editor.

Setting the value to something smallish, like say, 2.

Hope this helps you in your deployments!

Jeff, Carl and Yong