jzarris
asked on
Auto configuration of 802.1x for wired interfaces for XP
Is there any way to push out 802.1x settings for wired interfaces in Windows XP? This can be with a Group Policy or even registry settings changes using a logon script. Manually changing 100s of PCs manually is not an option. It's hard to believe that Microsoft did not make this possible. I have scowered the Internet looking for answer and have found nothing. Any tips would be greatly appreciated.
ASKER
I appreciate your suggestion, but this is for WIRED 802.1x settings. GPO doesn't no allow you to push out wired 802.1x settings, only wireless. I have no need for setting any wireless configurations.
ah my apologies man, i saw 802.x and auto thought wireless!
Have you looked at using DHCP?
http://computerperformance.co.uk/w2k3/services/DHCP_Configure.htm
Have you looked at using DHCP?
http://computerperformance.co.uk/w2k3/services/DHCP_Configure.htm
ASKER
DHCP can only specify IP settings. It cannot set or change 802.1x settings.
ASKER
but thanks for the suggestings Jay
thats ok :)
but to be honest now i am lost on what sort of settings you are trying to push out........ 802.1X is a wireless standard is it not,
its is 2am here so i am only half awake!
but to be honest now i am lost on what sort of settings you are trying to push out........ 802.1X is a wireless standard is it not,
its is 2am here so i am only half awake!
It appears not, so saith the Microsoft Gurus.
"But using it for wired security has some significant drawbacks. Working
with non-participating devices, as we discussed above, is one. Lack of
manageability is another: in AD group policy, several group policy objects
exist for you to manage 802.1X on wireless networks. These GPOs don't exist
for wired interfaces, and there are no published APIs for managing wired
802.1X client computers. Some architectural reasons prevent adding GPOs to
Windows 2000 and Windows XP for wired 802.1X. Because of this lack of
centralized management capability, large-scale 802.1X deployment on Windows
isn't feasible."
Steve Riley, Sr. Program Manager Security Business and
Technology Unit:
"But using it for wired security has some significant drawbacks. Working
with non-participating devices, as we discussed above, is one. Lack of
manageability is another: in AD group policy, several group policy objects
exist for you to manage 802.1X on wireless networks. These GPOs don't exist
for wired interfaces, and there are no published APIs for managing wired
802.1X client computers. Some architectural reasons prevent adding GPOs to
Windows 2000 and Windows XP for wired 802.1X. Because of this lack of
centralized management capability, large-scale 802.1X deployment on Windows
isn't feasible."
Steve Riley, Sr. Program Manager Security Business and
Technology Unit:
so basically they are saying that it cant be done.....
i have never heard of wired 802.1x maybe i have been living in the dark but where in the world do you even find the config for it
i have never heard of wired 802.1x maybe i have been living in the dark but where in the world do you even find the config for it
802.1x can be configured via Group Policy on the local machine, but most network admins prefer to use IPSEC.
You can also right-click your network connection and choose the Authenitcation tab ot change the settings.
ASKER
Regarding the Mad Jaspers comment....it is true that Microsoft does not allow for GPO for 802.1x, but saying that large-scale 802.1x deployments on Windows isn't feasible assumes that Microsoft is the authority on network security. In truth, there are networking products that integrate with Active Directory and allow for GPO for 802.1x. I know because I work for a company that has developed a secure switch that does just that and more. For instance:
1. When a computer starts up, the switch can decide to grant or deny the computer access to the network based on if it is in an AD group such as Domain Computers
2. When a user logs into Windows, the switch can then allow that user to continue to use the network but set an inbound and outbound stateful firewall policy for that port for that user based on their group memberships in AD (a different policy for each AD group and merged policies for multiple group membership)
3. Monitor all network traffic from that user looking for traffic anomalies (such as horizontal and vertical network scans) and signature based attacks at 10 Gbps.
4. etc, etc...you get the idea
This network authentication can be achieved in a couple of different ways and one of them is via 802.1x, but it requires that the network interfaces on each PC have certain 802.1x settings. Since MS does not allow for setting 802.1x for WIRED interfaces in GPO, this can only be done manually which is a huge pain in the backside in even a medium sized deployment.
The good news is that I figured out a way to do it via some reverse engineering. In hkey_local_machine\softwar
Thanks for everyone's comments. If anyone figures out a way to do this with GPO I'd be very interested in hearing about it, but I have solved this problem in an acceptable way for the time being.
1. When a computer starts up, the switch can decide to grant or deny the computer access to the network based on if it is in an AD group such as Domain Computers
2. When a user logs into Windows, the switch can then allow that user to continue to use the network but set an inbound and outbound stateful firewall policy for that port for that user based on their group memberships in AD (a different policy for each AD group and merged policies for multiple group membership)
3. Monitor all network traffic from that user looking for traffic anomalies (such as horizontal and vertical network scans) and signature based attacks at 10 Gbps.
4. etc, etc...you get the idea
This network authentication can be achieved in a couple of different ways and one of them is via 802.1x, but it requires that the network interfaces on each PC have certain 802.1x settings. Since MS does not allow for setting 802.1x for WIRED interfaces in GPO, this can only be done manually which is a huge pain in the backside in even a medium sized deployment.
The good news is that I figured out a way to do it via some reverse engineering. In hkey_local_machine\softwar
Thanks for everyone's comments. If anyone figures out a way to do this with GPO I'd be very interested in hearing about it, but I have solved this problem in an acceptable way for the time being.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you can configure through GPO, the ability to connect to a certain network, however, you cannot include a WEP key through in your settings.....
what i suggest that you could try, is add MAC address filtering to your Access point and include your MAC addresses of a few trial machines, and set your access to automatically give out the SECURITY key
under your policy,
computer settings \ windows settings \ security settings \wireless, create a new policy with your SSID included and and select THE KEY IS PROVIDED
its now automatic and only peoples who's MADC address in your AP can connect
with this at least you have it automated - just an option