Auto configuration of 802.1x for wired interfaces for XP

Is there any way to push out 802.1x settings for wired interfaces in Windows XP?  This can be with a Group Policy or even registry settings changes using a logon script.  Manually changing 100s of PCs manually is not an option.  It's hard to believe that Microsoft did not make this possible.  I have scowered the Internet looking for answer and have found nothing.  Any tips would be greatly appreciated.
Who is Participating?
GranModConnect With a Mentor Commented:
PAQed with points refunded (500)

Community Support Moderator
Hi jzarris,

you can configure through GPO, the ability to connect to a certain network, however, you cannot include a WEP key through in your settings.....

what i suggest that you could try, is add MAC address filtering to your Access point and include your MAC addresses of a few trial machines, and set your access to automatically give out the SECURITY key

under your policy,
computer settings \ windows settings \ security settings \wireless, create a new policy with your SSID included and and select THE KEY IS PROVIDED

its now automatic and only peoples who's MADC address in your AP can connect

with this at least you have it automated - just an option
jzarrisAuthor Commented:
I appreciate your suggestion, but this is for WIRED 802.1x settings.  GPO doesn't no allow you to push out wired 802.1x settings, only wireless.   I have no need for setting any wireless configurations.
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

ah my apologies man, i saw 802.x and auto thought wireless!

Have you looked at using DHCP?
jzarrisAuthor Commented:
DHCP can only specify IP settings.  It cannot set or change 802.1x settings.
jzarrisAuthor Commented:
but thanks for the suggestings Jay
thats ok :)

but to be honest now i am lost on what sort of settings you are trying to push out........ 802.1X is a wireless standard is it not,

its is 2am here so i am only half awake!
It appears not, so saith the Microsoft Gurus.

"But using it for wired security has some significant drawbacks. Working
with non-participating devices, as we discussed above, is one. Lack of
manageability is another: in AD group policy, several group policy objects
exist for you to manage 802.1X on wireless networks. These GPOs don't exist
for wired interfaces, and there are no published APIs for managing wired
802.1X client computers. Some architectural reasons prevent adding GPOs to
Windows 2000 and Windows XP for wired 802.1X. Because of this lack of
centralized management capability, large-scale 802.1X deployment on Windows
isn't feasible."

Steve Riley, Sr. Program Manager Security Business and
Technology Unit:
so basically they are saying that it cant be done.....

i have never heard of wired 802.1x  maybe i have been living in the dark but where in the world do you even find the config for it
802.1x can be configured via Group Policy on the local machine, but most network admins prefer to use IPSEC.
You can also right-click your network connection and choose the Authenitcation tab ot change the settings.
jzarrisAuthor Commented:
Regarding the Mad Jaspers is true that Microsoft does not allow for GPO for 802.1x, but saying that large-scale 802.1x deployments on Windows isn't feasible assumes that Microsoft is the authority on network security.  In truth, there are networking products that integrate with Active Directory and allow for GPO for 802.1x.  I know because I work for a company that has developed a secure switch that does just that and more.  For instance:

1.  When a computer starts up, the switch can decide to grant or deny the computer access to the network based on if it is in an AD group such as Domain Computers
2.  When a user logs into Windows, the switch can then allow that user to continue to use the network but set an inbound and outbound stateful firewall policy for that port for that user based on their group memberships in AD (a different policy for each AD group and merged policies for multiple group membership)
3.  Monitor all network traffic from that user looking for traffic anomalies (such as horizontal and vertical network scans) and signature based attacks at 10 Gbps.
4.  etc, get the idea

This network authentication can be achieved in a couple of different ways and one of them is via 802.1x, but it requires that the network interfaces on each PC have certain 802.1x settings.  Since MS does not allow for setting 802.1x for WIRED interfaces in GPO, this can only be done manually which is a huge pain in the backside in even a medium sized deployment.  

The good news is that I figured out a way to do it via some reverse engineering.  In hkey_local_machine\software\microsoft\eapol\parameters\interfaces there are folders for each interface.  When you change 802.1x settings, there is a binary registry key that reflects those changes (but in no obvious way).  I have written a script that can push out the needed changes (such as EAP type) to that binary registry key to all interfaces and have added it to all users' login scripts.  I have tested this out in a network with over 100 workstation in the domain and it has worked flawlessly.

Thanks for everyone's comments.  If anyone figures out a way to do this with GPO I'd be very interested in hearing about it, but I have solved this problem in an acceptable way for the time being.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.