A Microsoft Windows XP-based wired client computer uses the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication configuration.
IEEE 802.1X authentication is enabled on the client computer.
The client computer does not have a valid certificate for 802.1X authentication.
In this scenario, the client computer will not obtain a valid IP address from a guest Virtual Local Area Network (VLAN) or from an "Authentication failed-VLAN". ("Authentication failed-VLAN" is a Cisco feature.)
This problem occurs because the client computer that uses 802.1X authentication will not respond to the EAP request identity packets that the Ethernet switch sends. The client computer does not respond because it does not have a valid certificate.Therefore, the client computer sends an EAP over LAN (EAPOL) start frame and does not respond to the EAP request identity packet.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To resolve this problem, follow these steps:
Create the SupplicantMode registry entry and set its value to 1. Then, the Windows XP client computer does not send an EAPOL start frame. To do this, follow these steps:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
On the Edit menu, point to New, and then click DWORD Value.
Type SupplicantMode, and then press ENTER.
On the Edit menu, click Modify.
Type 1 in the Value data box, and then click OK.
Exit Registry Editor.
Use PEAP-MSCHAPv2 as the 802.1X authentication mechanism. In this scenario, the client computer will always respond to EAP request identity frames if you do not change the default configuration.
Use the default settings in which the SupplicantMode registry entry is not present, and change the Ethernet switch settings to a value of 1 for the following settings:
Minimum EAPOL time-out value
EAP retry amount
Change the Ethernet switch VLAN setup. Use one default VLAN, and then use one or more VLANs for 802.1X authenticated computers and users.
The following table describes the SupplicantMode registry entry for values from 0 through 3.
Disable IEEE 802.1X authentication operation.
Prevent transmission of EAPOL start and EAPOL log off packets under all scenarios.
Include learning to determine when to initiate the transmission of EAPOL packets. A Windows XP Service Pack 2 (SP2)-based computer will only send an EAPOL start frame if the computer receives an EAP request identity frame and if no internal process is currently ongoing.
Compliant with IEEE 802.1X authentication specification.
The SupplicantMode registry entry is also explained in the "Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows" article. To download this article, visit the following Microsoft Web site:
Note The SupplicantMode registry entry is no longer valid for Wired 802.1X in Windows XP SP3. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
949984 Changes to the 802.1X-based wired network connection settings in Windows XP Service Pack 3