Hi, We have installed a working 802.1X enabled infrastructure for wired clients. The Root and Sub-CA are running at Windows Server 2008 R2 machines. The clients are running WindowsXP SP3 or Windows Server 2003 R2. All clients need to be authenticated based on computer certificates issued by the Sub-CA. Further user authentication is not necessary. The setup is working perfectly until we simulate a problem where the radius service is not accessible when clients are to re-authenticated. We simply did stop the NPS service at the Sub-CA. After the NPS service was restarted we have to wait at maximum for 20 minutes to find that all clients running WindowsXP SP3 are authenticated and can access the network. All the clients running Windows Server 2003 R2 do not re-authenticate and therefore do not have access to the network. For the Windows Server 2003 clients the registry key SupplicantMode was set to 3 (HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode) to ensure they submit EAPOL-Start packets when needed. Any action like disable/enable the network interface card at the servers or shutdown/no shutdown the appropriate switch ports will trigger a new EAP exchange so that the clients will be authenticated again. All the clients are connected to Cisco Catalyst 2960 switches running 12.2(46) IOS Image. Is there any possibility to have the Windows Server 2003 clients be able to re-authenticate automatically after the radius server was not available for a certain amount of time? Have a nice day!

Hello CoolMa7, To answer your question, no it will not be possible to have the Windows Server 2003 clients re-authenticate automatically. The resolution for this would be to have at least two IAS servers so that the servers do not fail to authenticate. For example, you could set up IAS-1 and IAS-2, on the switch point to IAS-1 as the first RADIUS server and IAS-2 as the second RADIUS server. Also you could configure a RADIUS proxy and put multiple RADIUS servers behind the proxy. Please see the following link for additional information on NPS Proxy deployment. Planning NPS as a RADIUS proxy http://technet.microsoft.com/en-us/library/dd197525(WS.10).aspx For the Windows XP clients, you can adjust the time clients wait to reauthenticate. 957931 A Windows XP-based, Windows Vista-based, or Windows Server 2008-based computer does not respond to 802.1X authentication requests for 20 minutes after a failed authentication _http://support.microsoft.com/default.aspx?scid=kb;EN-US;957931 Regards, Clark Satter Microsoft Online Community Support Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.