https://community.cisco.com/t5/network-access-control/machine-authentication-and-802-1x/m-p/672895#M2593 <HTML><HEAD></HEAD><BODY><P>You rock Andrew. I've been sweating bullets on this one for a while, thanks a lot.</P></BODY></HTML> Tue, 31 Oct 2006 14:24:37 GMT MITCH JOHNSON 2006-10-31T14:24:37Z https://community.cisco.com/t5/network-access-control/machine-authentication-and-802-1x/m-p/672893#M2591 <P>I'm trying to get the machines to authenticate aginst active directory using 802.1x. This works great when I use PEAP and CHAP authentication. Works like a dream, no problems at all. But I need to verify that the machine is a part of the domain, the user will have to logon later anyway. It's important that our machines are verified as being a part of Active Directory and then authenticate the port to pass traffic.</P><P></P><P>I've followed all the documentation to get this working, what I'm looking for is something undocumented that made this work for others.</P><P></P><P>Any help would be greatly appreciated.</P><P></P><P>Thanks,</P><P>Mitch</P> Fri, 21 Feb 2020 18:17:04 GMT https://community.cisco.com/t5/network-access-control/machine-authentication-and-802-1x/m-p/672893#M2591 MITCH JOHNSON 2020-02-21T18:17:04Z https://community.cisco.com/t5/network-access-control/machine-authentication-and-802-1x/m-p/672894#M2592 <HTML><HEAD></HEAD><BODY><P>I assume you have set up AD to automatically enroll the Machines for Certificates and the machines each have a Machine Certificate?</P><P>Have you enabled remote access for the machines (AD Users &amp; Computers, enable dial-in or use Remote Access Policy?</P><P></P><P>Other than that I didn't have any problems setting this up.</P><P></P><P>If you want to enable computer-only authentication then you must edit the registry (or push the changes down through Group Policy):</P><P></P><P>[quote]</P><P>Enabling Computer-only Authentication Using the Registry</P><P>To configure computer-only authentication through the registry, all the Windows-based wireless clients must have the following registry value set:</P><P></P><P>HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2</P><P></P><P>With the AuthMode setting set to 2, only computer authentication is attempted. User authentication is never attempted.</P><P></P><P>To add this registry setting on all of your computers running Windows, you can use the following tools:</P><P></P><P>? Regini.exe from the Windows 2000 Server Resource Kit Tools </P><P> </P><P>? Reg.exe from the Windows Server 2003 Resource Kit Tools</P><P> </P><P></P><P>In both cases, you create a script file that is read by the tool to add a registry setting. The tool has to be run in the security context of a local administrator account. </P><P></P><P>Alternately, you can use network management software to change registry settings on managed computers.[/quote]</P><P></P><P><A class="jive-link-custom" href="http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx" target="_blank">http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx</A></P><P></P><P></P></BODY></HTML> Sun, 29 Oct 2006 15:32:05 GMT https://community.cisco.com/t5/network-access-control/machine-authentication-and-802-1x/m-p/672894#M2592 andrew.butterworth 2006-10-29T15:32:05Z https://community.cisco.com/t5/network-access-control/machine-authentication-and-802-1x/m-p/672895#M2593 <HTML><HEAD></HEAD><BODY><P>You rock Andrew. I've been sweating bullets on this one for a while, thanks a lot.</P></BODY></HTML> Tue, 31 Oct 2006 14:24:37 GMT https://community.cisco.com/t5/network-access-control/machine-authentication-and-802-1x/m-p/672895#M2593 MITCH JOHNSON 2006-10-31T14:24:37Z