EAP Failure: need to modify "Length of block timer (seconds)"

Max Hibbin 1 Reputation point
2021-11-22T17:53:46.003+00:00

In our 802.1X-enabled network sometimes the radius server may not be available. One scenario is losing power to a chain of switches, and the access switch with the windows client connected reboots faster than its upstream counterpart and the radius server is beyond so the first request goes out and the radius server cannot be reached. So 802.1x fails and then the windows client (win 10. 1904) invokes a "block timer" this timer is 1200 seconds, so this client will not attempt to authenticate until this period expires. Why 1200 seconds? In this scenario the radius server is going to be available in a number of seconds and I don't want the client to invoke a 1200 second timer. I want to know how to modify the "Length of block timer (seconds)" . The event ID 15506. I have searched high and low to try and find the answer, without resolution, please help.

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,270 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,341 Reputation points
    2021-11-23T20:37:00.153+00:00

    Hello @Max Hibbin

    Usually this blocks are either established in the negotiation from the Network, or by the interface itself. You may try to contact your AP/Network manufacturer or their forums for assistance on L2 Authentication and EAP timers.

    On Windows side, there's s a workaround on the service level through a registry change. I know it worked for me until Windows 10 1904, but would require testing on newer versions.

    On a test computer, make a backup of your registry, and add the next registry change:

    In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dot3svc
    Go to New, and then click DWORD Value.
    Type BlockTime, and then press ENTER.
    Right-click BlockTime, and then click Modify.
    Click Decimal under Base.
    In the Value data box, type an appropriate value for the blocking period, and then click OK.
    (The value that you specify for this registry entry represents the number of minutes that the system waits before it retries a failed authentication. The default value is 20 and the valid range is 1 – 60. If you set this key to 0, it will not apply at all.)

    Hope this helps with your query,

    ------
    --If the reply is helpful, please Upvote and Accept as answer--