I am needed to automate the WIRED 802.1x settings on over 5000 Windows XP SP3 clients over 40 WAN sites. Deployment of using scripts to change the registry key under "HKLM\software\microsoft\e
rfaces" is not a very reliable option for different hardware profiles and not 100% assurance.
I have already extended the Windows 2003 AD Schema as per the Technet article "http://technet.microsoft.com/en-us/bb727029.aspx
". However, I still cannot find any options in the GPO for the "Wired 802.1x" or not even an option for "dot3svc: Wired AutoConfig" service startup type. Am I supposed to see those settings after the extended schema or not?
Does anybody come across how to accomplish the below issues via GPO in Windows 2003 Active Directory for Windows XP SP3 clients?
1.) "Wired AutoConfig Service > Automatic Startup" using Windows 2003 GPO without scripted registry modification option
2.) "Wired 802.1x Settings" using Windows 2003 GPO
3.) Forcing the Windows XP SP3 clients to use "machine authentication" only instead of combined "machine and user authentication" using Windows 2003 GPO. (As far as I have checked, machine authentication is used when nobody is logging in yet, and it authenticate only as "user authentication" after the user has been login either locally or with cached profile). The reason is that I just want to define Machine Authentication option only in the Radius and avoid using of User Authentication option combined. Otherwise unauthorized workstations with persons pocessing the correct login credentials could still be able to connect to the wired network ports. Microsoft Technet artical using "netsh lan" and modification of the xml output file only works for Vista and it doesn't work for Windows XP. Or if that does work for Windows XP, what are the requirements before able to do that?
4.) How to accomplish a report using IAS similar to Cisco ACS for failed authentications and success authentications. (It is not convinient to check in Event Viewer filter only). Is there any Microsoft tools or 3rd party product for this? It is really convinient to view on a single page with line by line for each success/failure machines and users and the NAS IP with the reason of failure.
5.) Does anybody come across EAPOL messages are not sent/received at all on some of the Cisco Cat3560 and Cat3750 series? I could assume it could be the IOS bug, but it is working for some switches and not on others even with the same IOS versions. Could it be the misconfigured client workstations?