On Tue, Mar 06, 2012 at 02:22:04PM +0000, Morris, Andi wrote: > Dave, I am running Cisco switches with dot1x timeouts, I wonder > whether this could be causing the issue. I'll do some testing.
Turn off "Excessive 802.1X Authentication Failures" if you've got such a thing and it's enabled. We had it on, and if the first login had a bad password, the user would be locked out until they waited a minute or so to drop out of the client exclusion table. It's supposed to be three bad login attempts, but watching the client debug logs showed it tripping after just one due to the number of challenges/responses etc - I forget the exact details now. Maybe Windows did automatically retry a couple of times, which tripped it up. (This is Cisco wireless LAN controllers - switches may be similar.) We still see it with this off (see in other e-mail) but much less often. Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html