Solved

Automating "Wired" 802.1x settings for Windows XP SP3 clients using Windows 2003 Domain GPO

Posted on 2009-07-01
15
2,902 Views
Last Modified: 2013-12-04
I am needed to automate the WIRED 802.1x settings on over 5000 Windows XP SP3 clients over 40 WAN sites. Deployment of using scripts to change the registry key under  "HKLM\software\microsoft\eapol\parameters\interfaces" is not a very reliable option for different hardware profiles and not 100% assurance.  

I have already extended the Windows 2003 AD Schema as per the Technet article "http://technet.microsoft.com/en-us/bb727029.aspx". However, I still cannot find any options in the GPO for the "Wired 802.1x" or not even an option for "dot3svc: Wired AutoConfig" service startup type. Am I supposed to see those settings after the extended schema or not?

Does anybody come across how to accomplish the below issues via GPO in Windows 2003 Active Directory for Windows XP SP3 clients?

1.) "Wired AutoConfig Service > Automatic Startup" using Windows 2003 GPO without scripted registry modification option

2.) "Wired 802.1x Settings" using Windows 2003 GPO

3.) Forcing the Windows XP SP3 clients to use "machine authentication" only instead of combined "machine and user authentication" using Windows 2003 GPO. (As far as I have checked, machine authentication is used when nobody is logging in yet, and it authenticate only as "user authentication" after the user has been login either locally or with cached profile). The reason is that I just want to define Machine Authentication option only in the Radius and avoid using of User Authentication option combined. Otherwise unauthorized workstations with persons pocessing the correct login credentials could still be able to connect to the wired network ports. Microsoft Technet artical using "netsh lan" and modification of the xml output file only works for Vista and it doesn't work for Windows XP. Or if that does work for Windows XP, what are the requirements before able to do that?

4.) How to accomplish a report using IAS similar to Cisco ACS for failed authentications and success authentications. (It is not convinient to check in Event Viewer filter only). Is there any Microsoft tools or 3rd party product for this? It is really convinient to view on a single page with line by line for each success/failure machines and users and the NAS IP with the reason of failure.

5.) Does anybody come across EAPOL messages are not sent/received at all on some of the Cisco Cat3560 and Cat3750 series? I could assume it could be the IOS bug, but it is working for some switches and not on others even with the same IOS versions. Could it be the misconfigured client workstations?


0
Comment
Question by:tyroon
  • 5
  • 5
15 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
#1 and #2 Try this KB first: http://support.microsoft.com/kb/953650
Xp SP3 did change some 802.1x settings: http://support.microsoft.com/kb/949984/
Once you have the service auto-starting we can proceed. What are you using to authenticate, ACS Radius if I read correctly?
Have a look here:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swauthen.html#wpxref83693
#3 Machine only: http://support.microsoft.com/kb/929847/
#4 ... have to wait..
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
I've laid out how to go about this... The answers are there.
-rich
0
 

Author Comment

by:tyroon
Comment Utility
I was expecting more elaborated answer than that one which could lead to a practical working solution. I wouldn't be posting if I found Microsoft KB and Technet are sufficient let alone I've read. And only partial portions of the questions were answered even though I've come across them already.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Exactly, I assumed it was abandoned. What isn't working or doesn't satisfy? The GPO settings are all laid out in the links, do the settings not take effect? The machine only article should also help you with your authentication. Do you need help configuring your switch config's to use 802.1x? What switches and IOS/CatOS or other are they? I know nothing of your environment other than you have windows.
-rich
0
 

Author Comment

by:tyroon
Comment Utility
Hi Rich,

2.) "Wired 802.1x Settings" using Windows 2003 GPO

This GPO option supposed to come after the AD schema has been extended? Or it only available to Vista/2008?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:tyroon
Comment Utility
I don't need help on configuring on the switch. But had a question about missing EAPOL messages.

My question #5 mentioned about the access switches are Cat3560 and Cat3750 with the same IOS version. Regarding version, most of them are with 12.2.

My configuration on switches are as below:
!
aaa authentication dot1x group radius
radius-server host w.x.y.z key some-key-here
!
dot1x system-auth-control
!
interface x/y
 dot1x port-control auto
!
I don't need guest vlans as my main purpose is to authenticate the machine and block the port if not from the the domain. I don't have any problems with that configuration on Cat2950,Cat2960,Cat3550,Cat3560,Cat3750,Cat4500 except some switches doesn't process EAPOL messages even though other switches with the same model/IOS are perfectly processing.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Yes for 2003 you need to extend the schema: http://technet.microsoft.com/en-us/library/bb727029.aspx#EBAA (says vista, but applies to sp3 too)
Not sure about the EAPOL, are there any specific messages? Sounds like a config or connectivity issue to radius? Also there is software out there like FreeNAC/PacketFence and others that utilize snmp-traps as well as 802.1x to assign ports to proper vlan's, making it easier to manage dumb devices like printers or some voip phones and even computers that aren't running 802.1x to assign them to proper vlans. Just and FYI.
-rich
0
 

Author Comment

by:tyroon
Comment Utility
Hi Rich, so after the schema extension, I will see "Wired AutoConfig" settings in the GPO?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
Comment Utility
yes it should appear in  Computer Configuration -> Windows Settings -> Security Settings -> System Services
-rich
0
 

Author Comment

by:tyroon
Comment Utility
Thanks Rich. That's what I need a confirmation. It didn't work when I tried it last time. Will check again.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now