Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Remote Desktop to a machine that is 802.1x authenticated (wired ca

1,820 views
Skip to first unread message

Jaju@discussions.microsoft.com Ganesh Jaju

unread,
May 22, 2007, 8:12:01 AM5/22/07
to

When I do a remote desktop to machine that is 802.1x authenticated by an
user, machine authentication begins leading to logout of earlier logged in
user. Due to some reason the machine is not able to logged in leading to
blocking of port .

I am using IAS on Widows 2000 server as Radius server. I have a Windows XP
machine as my endhost which is to be authenticated and the configured
authentication type for 802.1x authentication on my machine is PEAP-MS-CHAP
v2. And Nevis Switch acts as authenticator.

I could find such an issue reported on Microsoft's site but it is for
wireless case.
Check the same at :-
http://www.microsoft.com/technet/network/wifi/wififaq.mspx
In Microsoft's words:-

Q. Do Remote Desktop connections work to Windows wireless clients that use
802.1X authentication?

A. Not at this time. All 802.1X-based wireless connections are affected,
including those using EAP-TLS or PEAP-MS-CHAP v2. Connections using a static
WEP key or WPA-PSK are not affected. Microsoft has addressed this issue in
Windows Vista and Windows Server “Longhorn.”

So is the issue valid for wired networks as well (I feel wired/wireless
should not be an issue as supplicant behavior would be the same)?
If the issue if known, is there or will there be any hotfix to avoid this
behavior for Windows-XP ?
If so, I would like to know to what all Windows OS it affects.

S. Pidgorny <MVP>

unread,
May 22, 2007, 4:52:42 PM5/22/07
to
What if you disable re-authentication with user credentials and use
machine-only authentication?

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Ganesh Jaju" <Ganesh Ja...@discussions.microsoft.com> wrote in message
news:900CD001-AA1C-4FCF...@microsoft.com...

S. Pidgorny <MVP>

unread,
May 23, 2007, 5:14:01 AM5/23/07
to
Hi Ganesh,

IEEE 802.1x standards don't prescribe the supplicant behaviour with regards
to computer/user authentication.

The question is - why remote desktop connections don't work? I think that is
because of the re-authentication: user logon (through remote desktop) will
trigger re-authentication by the supplicant, which will temporarily
disconnect the computer from the network. That will break the remote desktop
connection.

To verify, we need to test with AuthMode set to 2 (or 0 - refer to the same
FAQ). I'll try to do that tomorrow.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Ganesh Jaju" <Ganes...@discussions.microsoft.com> wrote in message
news:6FC93AC0-2B92-4CF6...@microsoft.com...
>
> I am interested in IEEE 802.1x standard based behavior for this case.
> User authentication is something which I don't want to compromise with.
> I would prefer having both types of authentication (computer/user).
>
> To my knowledge, when we boot windows machine, first machine
> authentication
> happens and then user authentication.
> Can't we have similar behavior for remote desktop as well?
>
> If it is a known issue, I am ok with it. Just that I found the issue to
> be
> known on Microsoft's site for wireless case, I wanted to confirm if the
> same
> is true for wired case.
>
> I would appreciate if I get to know more details on the problem, if any.


>
>
>
>
> "S. Pidgorny <MVP>" wrote:
>
>> What if you disable re-authentication with user credentials and use
>> machine-only authentication?
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>> "Ganesh Jaju" <Ganesh Ja...@discussions.microsoft.com> wrote in message

>> > http://www.microsoft.com/technet/network/wifi/wififaq.mspx

Ganesh Jaju

unread,
May 24, 2007, 1:53:02 AM5/24/07
to
Hi,
Please see inline.

"S. Pidgorny <MVP>" wrote:

> Hi Ganesh,
>
> IEEE 802.1x standards don't prescribe the supplicant behaviour with regards
> to computer/user authentication.
>
> The question is - why remote desktop connections don't work? I think that is
> because of the re-authentication: user logon (through remote desktop) will
> trigger re-authentication by the supplicant, which will temporarily
> disconnect the computer from the network. That will break the remote desktop
> connection.

This is true and the reason it happens is because remote desktop initiates
machine authentication and due to user mismatch earlier user gets logged out
breaking remote desktop connection. Had it been the case that user
authentication is initiated and remote desktop user being the same as logged
in user, we should not face this issue.

>
> To verify, we need to test with AuthMode set to 2 (or 0 - refer to the same
> FAQ). I'll try to do that tomorrow.

0 Disable IEEE 802.1X authentication operation.
1 Prevent transmission of EAPOL start and EAPOL log off packets under all
scenarios.
2 Include learning to determine when to initiate the transmission of EAPOL
packets. A Windows XP Service Pack 2 (SP2)-based computer will only send an
EAPOL start frame if the computer receives an EAP request identity frame and
if no internal process is currently ongoing.
3 Compliant with IEEE 802.1X authentication specification.

Only value of 3 is compliant with IEEE standards.

S. Pidgorny <MVP>

unread,
May 24, 2007, 6:00:14 AM5/24/07
to
G'day:

"Ganesh Jaju" <Ganes...@discussions.microsoft.com> wrote in message

news:B30E2BF0-7F53-46F6-92F6-

>> To verify, we need to test with AuthMode set to 2 (or 0 - refer to the
>> same
>> FAQ). I'll try to do that tomorrow.
>
> 0 Disable IEEE 802.1X authentication operation.
> 1 Prevent transmission of EAPOL start and EAPOL log off packets under all
> scenarios.
> 2 Include learning to determine when to initiate the transmission of EAPOL
> packets. A Windows XP Service Pack 2 (SP2)-based computer will only send
> an
> EAPOL start frame if the computer receives an EAP request identity frame
> and
> if no internal process is currently ongoing.
> 3 Compliant with IEEE 802.1X authentication specification.
>
> Only value of 3 is compliant with IEEE standards.

That's not AuthMode - that is SupplicantMode.

Ganesh Jaju

unread,
May 24, 2007, 10:18:03 AM5/24/07
to
Oops . Sorry I got AuthMode wrong initially.
Is authmode setting specific to Windows OS ?

As of now I don't have any AuthMode entry in registry. I just have created
SupplicantMode entry with a value of 3.

So default value of AuthMode assumed would be 1 as I am using Windows XP
(SP2) and which is not working.

I am interested in user authentication and so I am reluctant to create
AuthMode with a value of '2' as it responds only to computer authentication.


What value '0' means is :-
0 - Computer authentication is performed when the wireless client computer
is started. When a user logs in, if the computer authentication was
successful, user authentication is not performed. This setting has been
deprecated and its use is discouraged. This is the default setting for
Windows XP with no service packs installed.

So will this work for remote desktop case?

S. Pidgorny <MVP>

unread,
May 25, 2007, 5:49:42 AM5/25/07
to
G'day:

"Ganesh Jaju" <Ganes...@discussions.microsoft.com> wrote in message

> Oops . Sorry I got AuthMode wrong initially.


> Is authmode setting specific to Windows OS ?

Yes - and there's nothing in the standard that stipulates certain AuthMode
setting.

> As of now I don't have any AuthMode entry in registry.

Create it to change from the default.

> So default value of AuthMode assumed would be 1 as I am using Windows XP
> (SP2) and which is not working.
>
> I am interested in user authentication and so I am reluctant to create
> AuthMode with a value of '2' as it responds only to computer
> authentication.
>
>
> What value '0' means is :-
> 0 - Computer authentication is performed when the wireless client computer
> is started. When a user logs in, if the computer authentication was
> successful, user authentication is not performed. This setting has been
> deprecated and its use is discouraged. This is the default setting for
> Windows XP with no service packs installed.
>
> So will this work for remote desktop case?

Probably it will.

Ganesh Jaju

unread,
Jun 4, 2007, 6:16:11 AM6/4/07
to
Hi,
I created AuthMode registry with a value of '1' and tried it. Still I faced
the same issue. No luck with value '0' as well.

So, what is the solution now?
Does that mean Remote Desktop to Dot1x Authenticated host does not work ?

S. Pidgorny <MVP>

unread,
Jun 4, 2007, 6:22:22 AM6/4/07
to
What about 2? 1 is the default and 0 is deprecated.

--

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Ganesh Jaju" <Ganes...@discussions.microsoft.com> wrote in message
news:4944A92D-49D9-4F20...@microsoft.com...

Ganesh Jaju

unread,
Jun 4, 2007, 10:48:01 AM6/4/07
to

2- means computer authentication only. I am interested in user
authentication and hence didn't try that.

Remote desktop triggers computer authentication for AuthMode = 0/1 resulting
in user being logged out and hence the remote desktop session itself expires.

So is this some problem with Windows ? Any workaround, using
user-authentication ?

Can we have something like "user authentication only' ?

S. Pidgorny <MVP>

unread,
Jun 5, 2007, 4:51:26 AM6/5/07
to
As I said to you in the very beginning of the discussion, and according to
Microsoft, that doesn't work in XP now.
You're out of luck.

--
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Ganesh Jaju" <Ganes...@discussions.microsoft.com> wrote in message

news:5D7656B9-A625-4C69...@microsoft.com...

Ganesh Jaju

unread,
Jun 5, 2007, 10:14:05 AM6/5/07
to
Thanks a lot for your time and co-operation.
0 new messages