8801 errors during login in a wired 802.1x environment

  • 3213598
  • 18-Dec-2007
  • 27-Apr-2012


Novell Client for Windows 2000/XP/2003 4.91 Support Pack 4
802.1x authentication (wired)
4.91 SP4


When implementing 802.1x authentication in a wired environment (problem does not occur in a wireless environment) using an RADIUS server that authenticates against eDir, the 802.1x authentication works properly, and the login to the eDirectory tree is successful, but an 8801 error is thrown during the execution of the login script.


Fixed in updated noveap.dll and nwlscrpt.exe modules, dated 21Mar2008 or later.

The following is a workaround for this issue:

Launch the login script subsequent to the user authentication. This can be accomplished by calling a batch file which runs loginw32.exe from the startup group, or by calling loginw32.exe directly from the following registry key:


Add a string value named "Novell Login" which contains the value:

C:\Windows\system32\loginw32.exe /CONT /NA /S C:\LoginScr.txt

where the last argument is the name of a Novell login script file.

Additional Information

When implementing 802.1x authentication with an 802.1x-enabled switch, users do not have access to the network until they are authenticated by the RADIUS server. This is because before the user has successfully authenticated on 802.1x, they have no access to services through the switch. It is only after the switch learns from the RADIUS server that the users credentials have been approved, that they have access to the wired network beyond the port connection.

The problem seen as 8801 errors when executing login scripts is the result of the way Novell implemented 802.1x authentication in the Microsoft environment. The Novell Client needs full user access to the network in order for the login process to complete. To do this, it uses a plug-in to the Microsoft supplicant to take the supplied user credentials, authenticate the user to the RADIUS server, then uses the same credential set and, now that the 802.1x-enabled switch has activated the port, login to eDirectory. At this point, the user is completely logged in to 802.1x and to the Novell network. Then, the Novell Client passes the credentials to Windows for the local machine authentication to occur. However, Windows assumes it still needs to do a user authentication. Accordingly, it disconnects the user from the network and begins a second 802.1x authentication. This happens during the processing the login script, which then fails because the connection it is using has been removed.