If you are using Wired 802.1x, upgrading your Windows XP clients to Service Pack 3 can cause some severe issues due to design changes in this area.
The following information is intended to provide some background information on these changes and how to work around them. Although most these issues are documented in separate Knowledge Base articles, this post is intended to bundle the information and provide some additional information.
I encourage you to read through these steps carefully and perform extensive testing. Running into these problems after you have already installed Windows XP Service Pack 3 can be a painful experience. Since you would need a valid authentication/authorization to gain network connectivity and you need network connectivity to change the client configuration, you might run into a chicken and egg problem. This means you would need to do sneaker administration for all affected clients.
The following issues can occur depending on the client’s system configuration and your networking infrastructure:
- The required services for Wired 802.1x will not be started automatically.
- The 802.1x authentication method might change.
- The client might suspend 802.1x authentication in case of a failure.
- The settings you configured using the registry keys AuthMode and SupplicantMode might have changed.
Let’s go into some details on each of these.
The required services for Wired 802.1x will not be started automatically
This issue is documented in the following KB article:
953650 You cannot connect to an 802.1X wired network after you upgrade to Windows XP Service Pack 3
Please note that this article has been updated recently. The recently added solution (Method 3) is to create the registry key SupplicantMode with a value of 2 before installing Service Pack 3. This will make sure that both the dot3svc and the eaphost service will be started automatically.
Registry path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftEAPOLParametersGeneralGlobal
Please read the following white paper if you need more details regarding this registry key:
The 802.1x authentication method might change
In Windows XP SP3, the default authentication method has been changed from EAP-TLS (Smart card or other certificate) to PEAP-MSCHAPv2.
Besides this, you may be unable to connect using PEAP-MSCHAPV2 due to the following issue:
969111 A Windows XP Service Pack 3-based client computer cannot use the IEEE 802.1x authentication when you use PEAP with PEAP-MSCHAPv2 in a domain
The workaround here is to set the authentication method back to EAP-TLS to match your RADIUS Server’s configuration. You might find a number of possible solutions to this. From my point of view the following two methods should match most needs.
A) Use the Run(Once) Registry Key
Use the Run or RunOnce Registry key to run a batch file. The batch file contains a netsh.exe command to import the Wired 802.1x configuration.
Here some information about the mentioned Run(Once) Registry keys.
314866 A definition of the Run keys in the Windows XP registry
To solve potential permission issues, you can use the Sysinternals tool psexec.exe. The reason to use psexec.exe is to run the batch file using the machine’s system account.
You need to download the latest version of psexec.exe and copy this to your Windows XP SP2 clients:
You will need to export a working Wired 802.1x configuration from a Windows XP SP3 client. You can do this by using the following command:
‘netsh lan export profile folder=%windir%’
This will create one or more xml files for each interface. The XML file has to be copied to your Windows XP SP2 clients, too.
You will need to deploy the following registry key to your clients as next step:
Name: Choose a name of your choice
Value: C:psexec /accepteula -s -i c:netshimport.bat
Note: Obviously you may need to edit the path for psexec.exe and the xml file.
The batch file netshimport.bat must contain the following command (without the quotes):
‘netsh lan add profile file=c:filename.xml’
You may extend this command to pipe the result to a text file which could be of use for troubleshooting in case of a problem:
‘C:psexec /accepteula -s -i c:netshimport.bat >%windir%netsh_result.txt’
Test if the batch file works as expected. If it does, you can now install Service Pack 3.
B) Deploy a scheduled task
This is very similar to the method described before. Instead of using the Run(Once) registry key, you would create a scheduled task which runs the same batch file. I suggest to do this after user logon which is an option when you create a scheduled task.
You will need to copy the batch file and the xml file to the clients as a pre-requisite again.
There are multiple methods possible to create a scheduled task. To mention two of them:
- Use the Control Panel in Windows XP SP2 to create it.
- Use schtasks.exe to create this task.
The client might suspend 802.1x authentication in case of a failure
This issue has been documented in the following KB article:
957931 A Windows XP-based, Windows Vista-based, or Windows Server 2008-based computer does not respond to 802.1X authentication requests for 20 minutes after a failed authentication
You will need to install the related hotfix and create the registry key BlockTime. The value for BlockTime depends on your infrastructure needs. Normally 1, which is the lowest value possible, should be ok.
The settings you configured using the registry keys AuthMode and SupplicantMode might have changed
The registry keys SupplicantMode and AuthMode are no longer valid for Windows XP SP3 Wired 802.1x. Please note that they still apply to wireless connections.
Please read the following articles for details:
949984 Changes to the 802.1X-based wired network connection settings in Windows XP Service Pack 3
929847 How to enable computer-only authentication for a 802.1X-based network in Windows Vista, in Windows Server 2008, and in Windows XP Service Pack 3
– Frank Hennemann