Guillaume Tamboise
2005-11-17 22:54:11 UTC
Hello,
I am trying to deploy wired 802.1X to a large number of (Windows 2000
and Windows XP) client computers, in an AD environment.
So far, what needs to be deployed on those client computers seems to be:
- Start the "Wireless Zero Configuration" (XP) or "Wireless
Configuration" (200) service, achievable through the key "Start" under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC and
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WZCSVC\
- Set the desired SupplicantMode under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\
- Set the desired AuthMode under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\
- Grab the 802.3 interfaces from
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\
- Set the EAPOL parameters under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces\{Interface_ID}\1
That's where things start to get complicated.
Since I want to use PEAP, computer authentication and the user's domain
credentials, it seems that I need to tweak this registry entry so that
bytes 11 and 12 are "c0" and "19".
There is one thing that seems significantly more complicated: server
authentication.
I do not want my 802.1X supplicant starting authenticating against any
Radius server just because it is there.
So, I want server authentication, using my CA.
On the GUI, it is fairly easy: under PEAP properties, I check "Validate
server certificate", uncheck "Connect to these servers" and check my CA
in the list of trusted root certification authorities.
In the registry, however, it seems to be involving a lot of bytes in the
key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces\{Interface_ID}\1,
and the bytes that need to be changed seem to depend on the list of
known root certification authorities. And on the OS (2000 or XP).
Anybody having already fiddled with such settings?
Or anybody having some documentation on this "magic" key?
Thanks
Guillaume Tamboise
I am trying to deploy wired 802.1X to a large number of (Windows 2000
and Windows XP) client computers, in an AD environment.
So far, what needs to be deployed on those client computers seems to be:
- Start the "Wireless Zero Configuration" (XP) or "Wireless
Configuration" (200) service, achievable through the key "Start" under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC and
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WZCSVC\
- Set the desired SupplicantMode under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\
- Set the desired AuthMode under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\
- Grab the 802.3 interfaces from
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\
- Set the EAPOL parameters under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces\{Interface_ID}\1
That's where things start to get complicated.
Since I want to use PEAP, computer authentication and the user's domain
credentials, it seems that I need to tweak this registry entry so that
bytes 11 and 12 are "c0" and "19".
There is one thing that seems significantly more complicated: server
authentication.
I do not want my 802.1X supplicant starting authenticating against any
Radius server just because it is there.
So, I want server authentication, using my CA.
On the GUI, it is fairly easy: under PEAP properties, I check "Validate
server certificate", uncheck "Connect to these servers" and check my CA
in the list of trusted root certification authorities.
In the registry, however, it seems to be involving a lot of bytes in the
key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces\{Interface_ID}\1,
and the bytes that need to be changed seem to depend on the list of
known root certification authorities. And on the OS (2000 or XP).
Anybody having already fiddled with such settings?
Or anybody having some documentation on this "magic" key?
Thanks
Guillaume Tamboise