Solved

Automating "Wired" 802.1x settings for Windows XP SP3 clients using Windows 2003 Domain GPO

Posted on 2009-07-01
15
2,935 Views
Last Modified: 2013-12-04
I am needed to automate the WIRED 802.1x settings on over 5000 Windows XP SP3 clients over 40 WAN sites. Deployment of using scripts to change the registry key under  "HKLM\software\microsoft\eapol\parameters\interfaces" is not a very reliable option for different hardware profiles and not 100% assurance.  

I have already extended the Windows 2003 AD Schema as per the Technet article "http://technet.microsoft.com/en-us/bb727029.aspx". However, I still cannot find any options in the GPO for the "Wired 802.1x" or not even an option for "dot3svc: Wired AutoConfig" service startup type. Am I supposed to see those settings after the extended schema or not?

Does anybody come across how to accomplish the below issues via GPO in Windows 2003 Active Directory for Windows XP SP3 clients?

1.) "Wired AutoConfig Service > Automatic Startup" using Windows 2003 GPO without scripted registry modification option

2.) "Wired 802.1x Settings" using Windows 2003 GPO

3.) Forcing the Windows XP SP3 clients to use "machine authentication" only instead of combined "machine and user authentication" using Windows 2003 GPO. (As far as I have checked, machine authentication is used when nobody is logging in yet, and it authenticate only as "user authentication" after the user has been login either locally or with cached profile). The reason is that I just want to define Machine Authentication option only in the Radius and avoid using of User Authentication option combined. Otherwise unauthorized workstations with persons pocessing the correct login credentials could still be able to connect to the wired network ports. Microsoft Technet artical using "netsh lan" and modification of the xml output file only works for Vista and it doesn't work for Windows XP. Or if that does work for Windows XP, what are the requirements before able to do that?

4.) How to accomplish a report using IAS similar to Cisco ACS for failed authentications and success authentications. (It is not convinient to check in Event Viewer filter only). Is there any Microsoft tools or 3rd party product for this? It is really convinient to view on a single page with line by line for each success/failure machines and users and the NAS IP with the reason of failure.

5.) Does anybody come across EAPOL messages are not sent/received at all on some of the Cisco Cat3560 and Cat3750 series? I could assume it could be the IOS bug, but it is working for some switches and not on others even with the same IOS versions. Could it be the misconfigured client workstations?


0
Comment
Question by:tyroon
  • 5
  • 5
15 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24830093
#1 and #2 Try this KB first: http://support.microsoft.com/kb/953650
Xp SP3 did change some 802.1x settings: http://support.microsoft.com/kb/949984/
Once you have the service auto-starting we can proceed. What are you using to authenticate, ACS Radius if I read correctly?
Have a look here:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swauthen.html#wpxref83693
#3 Machine only: http://support.microsoft.com/kb/929847/
#4 ... have to wait..
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24998463
I've laid out how to go about this... The answers are there.
-rich
0
 

Author Comment

by:tyroon
ID: 24999181
I was expecting more elaborated answer than that one which could lead to a practical working solution. I wouldn't be posting if I found Microsoft KB and Technet are sufficient let alone I've read. And only partial portions of the questions were answered even though I've come across them already.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24999598
Exactly, I assumed it was abandoned. What isn't working or doesn't satisfy? The GPO settings are all laid out in the links, do the settings not take effect? The machine only article should also help you with your authentication. Do you need help configuring your switch config's to use 802.1x? What switches and IOS/CatOS or other are they? I know nothing of your environment other than you have windows.
-rich
0
 

Author Comment

by:tyroon
ID: 24999617
Hi Rich,

2.) "Wired 802.1x Settings" using Windows 2003 GPO

This GPO option supposed to come after the AD schema has been extended? Or it only available to Vista/2008?
0
 

Author Comment

by:tyroon
ID: 24999675
I don't need help on configuring on the switch. But had a question about missing EAPOL messages.

My question #5 mentioned about the access switches are Cat3560 and Cat3750 with the same IOS version. Regarding version, most of them are with 12.2.

My configuration on switches are as below:
!
aaa authentication dot1x group radius
radius-server host w.x.y.z key some-key-here
!
dot1x system-auth-control
!
interface x/y
 dot1x port-control auto
!
I don't need guest vlans as my main purpose is to authenticate the machine and block the port if not from the the domain. I don't have any problems with that configuration on Cat2950,Cat2960,Cat3550,Cat3560,Cat3750,Cat4500 except some switches doesn't process EAPOL messages even though other switches with the same model/IOS are perfectly processing.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 25003512
Yes for 2003 you need to extend the schema: http://technet.microsoft.com/en-us/library/bb727029.aspx#EBAA (says vista, but applies to sp3 too)
Not sure about the EAPOL, are there any specific messages? Sounds like a config or connectivity issue to radius? Also there is software out there like FreeNAC/PacketFence and others that utilize snmp-traps as well as 802.1x to assign ports to proper vlan's, making it easier to manage dumb devices like printers or some voip phones and even computers that aren't running 802.1x to assign them to proper vlans. Just and FYI.
-rich
0
 

Author Comment

by:tyroon
ID: 25005567
Hi Rich, so after the schema extension, I will see "Wired AutoConfig" settings in the GPO?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 25005934
yes it should appear in  Computer Configuration -> Windows Settings -> Security Settings -> System Services
-rich
0
 

Author Comment

by:tyroon
ID: 25009171
Thanks Rich. That's what I need a confirmation. It didn't work when I tried it last time. Will check again.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question