?
Solved

How to authenticate computer before user log on, NPS Server Windows XP (SP3) Windows 7

Posted on 2011-05-11
12
Medium Priority
?
3,474 Views
Last Modified: 2013-12-04
Hello,
i have to set up 802.1x in my company, we are running with Windows Server 2008 R2.
All the machines will use wired connection to communicate with NPS Server.

In my company we have many requirements regarding networking rules.

1) We must have a local (non-domain) adminisrator account to manage any computer
2) We remotely take control of clients for maintenance purposes
3) We load scripts immediately after user login so as to mount personal network storage
4) The vlan must be dynamically assigned according to the user account

I succeded in setting up the authentication through a domain user account, the problem is that the machine machine is placed on the network only a few minutes after the openning of the account, time during which the script is launched without having the network. So when the computer gets the network we can't see the attached network storages.

An other problem is when users who never openned a session can't open a session because the machine is not on the network and is not able to contact domain controller.

To fix all those problems i am thing about authenticating the machine before user log on, but i don't find any clear guide on the net that could help me to solve the problem, do i need to user certificate, if so how to deploy it. I try to deploy some computer certificate, but after creating template i  can't see them when i want to issue them in "certificates templates"

Also my Certification Authority and Domain controller are on the same machine.

Thanks for helping me.
0
Comment
Question by:Tony_David
  • 5
  • 4
10 Comments
 
LVL 18

Assisted Solution

by:x-men
x-men earned 2000 total points
ID: 35738841
try:
- Add the AD computer accounts to a group.
- Configure NPS Policy to allow network acces to the AD Group containing the machines
0
 
LVL 18

Expert Comment

by:x-men
ID: 35738864
...keep in mind the order of the configured policies.
0
 

Author Comment

by:Tony_David
ID: 35738988
Well, i'am gonna work this way, thx
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 

Author Comment

by:Tony_David
ID: 35750226
Hello x-men your solution works fine with Windows 7, but i'm still not able to authenticate Windows XP SP3 Client.
Previously on XP versions before SP3, it was possible to force computer-only authentication with this registry key :

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2

But this is no longer the case with SP3, Microsoft suggest to try this way :

http://support.microsoft.com/kb/929847/en-us

I try to find the said "xml" file but i don't where it is located on the system.

Does anyone knows the place to find that "xml" file ?

Thanks for help.
0
 
LVL 18

Assisted Solution

by:x-men
x-men earned 2000 total points
ID: 35752700
the xml is the profile you exported from the windows 7 machine.
afterr you modify it , you import it on the xp SP through "netsh lan add profile filename=PathofXMLFile"
0
 

Accepted Solution

by:
Tony_David earned 0 total points
ID: 35752736
I finnaly found the solution :

http://social.technet.microsoft.com/forums/en-US/itproxpsp/thread/d6e0e005-ce31-434c-bc0e-6e8fc7e48a5e/


Before all, be sure that  "Wired AutoConfig service" is launched"  follow as this :

Start the service in the Services console. Click Start, right-click Computer, click Manage, and click Services and Applications. In the details pane, double-click Services, and then do one of the following:

To configure the startup type, right-click Wired AutoConfig, and then click Properties.
In Startup type, select Automatic, the recommended setting, and then click Start.
To start the service for the current session only, right-click Wired AutoConfig, and then click Start.


To Authenticate only Computer account :


1. Open Command Prompt

2. Type: netsh lan export profile folder=C:\   //This should export the XML for your LAN setup

3. Open C:\Local Area Connection.xml in Notepad  //We need to add the line <authMode>machine</authMode>    //The xml filename could change according to XP language version. Be sure to open the correct generated file.

You don't need to add or modify any other lines than the needed one.

4. Save the XML file and close notepad

5. At the command prompt type: netsh lan add profile filename="C:\Local Area Connection.xml" //The xml filename could change according to XP language version. Be sure to type the correct generated filename.

6. The profile should be added without any errors.  
7. Reboot the machine and you should authenticate based on the machine name.

PS: The machine should be part of the domain.


Sources :
http://technet.microsoft.com/en-us/library/cc749352(WS.10).aspx
http://social.technet.microsoft.com/forums/en-US/itproxpsp/thread/d6e0e005-ce31-434c-bc0e-6e8fc7e48a5e/

0
 
LVL 18

Expert Comment

by:x-men
ID: 35752821
...
0
 

Author Comment

by:Tony_David
ID: 35752949
x-men, So you mean that i can use the same xml file for all machine ?
0
 
LVL 18

Expert Comment

by:x-men
ID: 35800187
that's my interpretation of the article
0
 

Expert Comment

by:South Mod
ID: 35868806
All,
 
Following an 'Objection' by x-men (at http://www.experts-exchange.com/Q_27036136.html) to the intended closure of this question, it has been reviewed by at least one Moderator and is being closed as recommended by the Expert.
 
At this point I am going to re-start the auto-close procedure.
 
Thank you,
 
SouthMod
Community Support Moderator
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question