• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3597
  • Last Modified:

How to authenticate computer before user log on, NPS Server Windows XP (SP3) Windows 7

Hello,
i have to set up 802.1x in my company, we are running with Windows Server 2008 R2.
All the machines will use wired connection to communicate with NPS Server.

In my company we have many requirements regarding networking rules.

1) We must have a local (non-domain) adminisrator account to manage any computer
2) We remotely take control of clients for maintenance purposes
3) We load scripts immediately after user login so as to mount personal network storage
4) The vlan must be dynamically assigned according to the user account

I succeded in setting up the authentication through a domain user account, the problem is that the machine machine is placed on the network only a few minutes after the openning of the account, time during which the script is launched without having the network. So when the computer gets the network we can't see the attached network storages.

An other problem is when users who never openned a session can't open a session because the machine is not on the network and is not able to contact domain controller.

To fix all those problems i am thing about authenticating the machine before user log on, but i don't find any clear guide on the net that could help me to solve the problem, do i need to user certificate, if so how to deploy it. I try to deploy some computer certificate, but after creating template i  can't see them when i want to issue them in "certificates templates"

Also my Certification Authority and Domain controller are on the same machine.

Thanks for helping me.
0
Tony_David
Asked:
Tony_David
  • 5
  • 4
3 Solutions
 
x-menIT super heroCommented:
try:
- Add the AD computer accounts to a group.
- Configure NPS Policy to allow network acces to the AD Group containing the machines
0
 
x-menIT super heroCommented:
...keep in mind the order of the configured policies.
0
 
Tony_DavidAuthor Commented:
Well, i'am gonna work this way, thx
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
Tony_DavidAuthor Commented:
Hello x-men your solution works fine with Windows 7, but i'm still not able to authenticate Windows XP SP3 Client.
Previously on XP versions before SP3, it was possible to force computer-only authentication with this registry key :

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2

But this is no longer the case with SP3, Microsoft suggest to try this way :

http://support.microsoft.com/kb/929847/en-us

I try to find the said "xml" file but i don't where it is located on the system.

Does anyone knows the place to find that "xml" file ?

Thanks for help.
0
 
x-menIT super heroCommented:
the xml is the profile you exported from the windows 7 machine.
afterr you modify it , you import it on the xp SP through "netsh lan add profile filename=PathofXMLFile"
0
 
Tony_DavidAuthor Commented:
I finnaly found the solution :

http://social.technet.microsoft.com/forums/en-US/itproxpsp/thread/d6e0e005-ce31-434c-bc0e-6e8fc7e48a5e/


Before all, be sure that  "Wired AutoConfig service" is launched"  follow as this :

Start the service in the Services console. Click Start, right-click Computer, click Manage, and click Services and Applications. In the details pane, double-click Services, and then do one of the following:

To configure the startup type, right-click Wired AutoConfig, and then click Properties.
In Startup type, select Automatic, the recommended setting, and then click Start.
To start the service for the current session only, right-click Wired AutoConfig, and then click Start.


To Authenticate only Computer account :


1. Open Command Prompt

2. Type: netsh lan export profile folder=C:\   //This should export the XML for your LAN setup

3. Open C:\Local Area Connection.xml in Notepad  //We need to add the line <authMode>machine</authMode>    //The xml filename could change according to XP language version. Be sure to open the correct generated file.

You don't need to add or modify any other lines than the needed one.

4. Save the XML file and close notepad

5. At the command prompt type: netsh lan add profile filename="C:\Local Area Connection.xml" //The xml filename could change according to XP language version. Be sure to type the correct generated filename.

6. The profile should be added without any errors.  
7. Reboot the machine and you should authenticate based on the machine name.

PS: The machine should be part of the domain.


Sources :
http://technet.microsoft.com/en-us/library/cc749352(WS.10).aspx
http://social.technet.microsoft.com/forums/en-US/itproxpsp/thread/d6e0e005-ce31-434c-bc0e-6e8fc7e48a5e/

0
 
x-menIT super heroCommented:
...
0
 
Tony_DavidAuthor Commented:
x-men, So you mean that i can use the same xml file for all machine ?
0
 
x-menIT super heroCommented:
that's my interpretation of the article
0
 
South ModModeratorCommented:
All,
 
Following an 'Objection' by x-men (at http://www.experts-exchange.com/Q_27036136.html) to the intended closure of this question, it has been reviewed by at least one Moderator and is being closed as recommended by the Expert.
 
At this point I am going to re-start the auto-close procedure.
 
Thank you,
 
SouthMod
Community Support Moderator
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now