Solved

Protected EAP properties - uncheck validate server certificate

Posted on 2014-01-22
5
1,289 Views
Last Modified: 2014-01-31
Hello Experts!

Environment:  Windows 7 Enterprise, 64-bit
802.1x authenticated network

Question:

On a client PC, when the Wired AutoConfig (DOT3SVC) service is started, the Authentication tab is added to Local Area Connection properties for 802.1x authentication configuration.

IEEE 802.1X authentication is Enabled.
Authentication Method:  Microsoft: Protected EAP (PEAP) > Settings > Validate Server Certificate is checked.

I would like a command line command that will UNcheck the 'Validate Server Certificate' on a client PC.  I need to do this accross an environment of 10k+ systems, so once I have the command I will deploy the command via SCCM.

What is the command line command to UNcheck this setting?


Thank you!
0
Comment
Question by:Irrylyn
  • 3
  • 2
5 Comments
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 39801891
If there is one, I'm unaware of it, though you could probably script a change to the registry for this.  This is in effect what a Group Policy setting does, which is what I would recommend to use.  Create a Wired Policy under Computer Configuration > Policies > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies, and configure it with the settings you want your clients to have.

However, with proper certificates in place, this wouldn't be necessary.
0
 

Author Comment

by:Irrylyn
ID: 39805271
Shouldn't be necessary.  We switched to computer authentication only and have found lots of machines cant connect if the validate certs is checked.  We don't have our own CA but all of our root certs are on the image and good, so not sure why this is an issue.  Once we uncheck the validate certs, there's no problem connecting.

Probably a config in ACS or something but I'm in desktop, not networking so I just try to do what I can.

I'll take a look at GPO tomorrow and let you know.  Thank you.
0
 
LVL 40

Expert Comment

by:footech
ID: 39805330
I'm not familiar enough with switches config to speculate on why some might work and others wouldn't.  But given that unchecking the validate option resolves the issue, really the only reason I can think of that some would work and others wouldn't in this context is that they don't all have the same certificates for the certification path (like missing an intermediate certificate).  That's not to say there might not be other possibilities, I just can't think of them.
0
 

Author Comment

by:Irrylyn
ID: 39824233
Well I've been trying to find a way.  Silly that there isn't one... a reg key or SOMETHING.  Haven't had a chance to look at GPO yet though.  Our place is backa$$words when it comes to managing via GPO.  They hate doing it.  They think we should manage everything through SCCM.  I personally think GPO should be used more, but I'm not the boss  :)

Thanks for the suggestion and I may start pushing for it.  For now, to please the paycheck, I'm exporting a LAN profile that's set the way I want it then going to push a .bat file that imports it into each client via SCCM.
0
 
LVL 40

Expert Comment

by:footech
ID: 39824567
Only way that I can think of to find the actual registry location would be to look at the .ADMX files and trace it back from there.  But if you have a solution with an exported LAN profile then it's probably not worth the effort for you.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
RAID 1 volatile subkey Windows 7 64 bit 14 58
Allowing access to port 80 23 47
FSRREMOS 7 51
Remote login in windows 7 8 27
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question