Successful authentications occur even though the authentications do not participate in Network Access Protection on a Windows Vista-based computer

When the Network Access Protection Agent service is disabled on a Windows Vista-based computer, the Transport Layer Security (TLS) session cookie is not updated. Also, the cookie will be reused when the Network Access Protection Agent service is enabled. This lets successful authentications occur even though the authentications do not participate in Network Access Protection (NAP).

This problem occurs because the Fast Reconnect functionality is enabled. If the NapAgent client has already performed a successful Protected Extensible Authentication Protocol (PEAP) authentication through successful statement of health (SoH) exchanges, a TLS session key is saved. Therefore, the client can apply the Fast Reconnect functionality.

To work around this problem, configure the client computer not to use the Fast Reconnect functionality. To do this, follow these steps:

1. Click Start, type services.msc in the Start Search box, and then press ENTER.
   
   Note If you are prompted for an administrator password, type the password. Or, if you are prompted for confirmation, provide confirmation.
2. In the Services window, click the Standard tab, right-click Wired AutoConfig, and then click Start.
3. Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, and then click Manage network connections.
4. Right-click the network connection, and then click Properties.
5. Click the Authentication tab, and then click to select the Enable IEEE 802.1X authentication check box.
6. In the Choose a network authentication method list, click to select Protected EAP (PEAP), and then click Settings.
7. Click to clear the Enable Fast Reconnect check box, and then click OK.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.