10-27-2006 11:55 AM - edited 02-21-2020 10:17 AM
I'm trying to get the machines to authenticate aginst active directory using 802.1x. This works great when I use PEAP and CHAP authentication. Works like a dream, no problems at all. But I need to verify that the machine is a part of the domain, the user will have to logon later anyway. It's important that our machines are verified as being a part of Active Directory and then authenticate the port to pass traffic.
I've followed all the documentation to get this working, what I'm looking for is something undocumented that made this work for others.
Any help would be greatly appreciated.
Thanks,
Mitch
Solved! Go to Solution.
10-29-2006 07:32 AM
I assume you have set up AD to automatically enroll the Machines for Certificates and the machines each have a Machine Certificate?
Have you enabled remote access for the machines (AD Users & Computers, enable dial-in or use Remote Access Policy?
Other than that I didn't have any problems setting this up.
If you want to enable computer-only authentication then you must edit the registry (or push the changes down through Group Policy):
[quote]
Enabling Computer-only Authentication Using the Registry
To configure computer-only authentication through the registry, all the Windows-based wireless clients must have the following registry value set:
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2
With the AuthMode setting set to 2, only computer authentication is attempted. User authentication is never attempted.
To add this registry setting on all of your computers running Windows, you can use the following tools:
? Regini.exe from the Windows 2000 Server Resource Kit Tools
? Reg.exe from the Windows Server 2003 Resource Kit Tools
In both cases, you create a script file that is read by the tool to add a registry setting. The tool has to be run in the security context of a local administrator account.
Alternately, you can use network management software to change registry settings on managed computers.[/quote]
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
10-29-2006 07:32 AM
I assume you have set up AD to automatically enroll the Machines for Certificates and the machines each have a Machine Certificate?
Have you enabled remote access for the machines (AD Users & Computers, enable dial-in or use Remote Access Policy?
Other than that I didn't have any problems setting this up.
If you want to enable computer-only authentication then you must edit the registry (or push the changes down through Group Policy):
[quote]
Enabling Computer-only Authentication Using the Registry
To configure computer-only authentication through the registry, all the Windows-based wireless clients must have the following registry value set:
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2
With the AuthMode setting set to 2, only computer authentication is attempted. User authentication is never attempted.
To add this registry setting on all of your computers running Windows, you can use the following tools:
? Regini.exe from the Windows 2000 Server Resource Kit Tools
? Reg.exe from the Windows Server 2003 Resource Kit Tools
In both cases, you create a script file that is read by the tool to add a registry setting. The tool has to be run in the security context of a local administrator account.
Alternately, you can use network management software to change registry settings on managed computers.[/quote]
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
10-31-2006 06:24 AM
You rock Andrew. I've been sweating bullets on this one for a while, thanks a lot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide