Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1918
Views
0
Helpful
2
Replies

Machine Authentication and 802.1x

Go to solution
MITCH JOHNSON
Level 1
Level 1

‎10-27-2006 11:55 AM - edited ‎02-21-2020 10:17 AM

I'm trying to get the machines to authenticate aginst active directory using 802.1x. This works great when I use PEAP and CHAP authentication. Works like a dream, no problems at all. But I need to verify that the machine is a part of the domain, the user will have to logon later anyway. It's important that our machines are verified as being a part of Active Directory and then authenticate the port to pass traffic.

I've followed all the documentation to get this working, what I'm looking for is something undocumented that made this work for others.

Any help would be greatly appreciated.

Thanks,

Mitch

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.butterworth
Level 7
Level 7

‎10-29-2006 07:32 AM

I assume you have set up AD to automatically enroll the Machines for Certificates and the machines each have a Machine Certificate?

Have you enabled remote access for the machines (AD Users & Computers, enable dial-in or use Remote Access Policy?

Other than that I didn't have any problems setting this up.

If you want to enable computer-only authentication then you must edit the registry (or push the changes down through Group Policy):

[quote]

Enabling Computer-only Authentication Using the Registry

To configure computer-only authentication through the registry, all the Windows-based wireless clients must have the following registry value set:

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2

With the AuthMode setting set to 2, only computer authentication is attempted. User authentication is never attempted.

To add this registry setting on all of your computers running Windows, you can use the following tools:

? Regini.exe from the Windows 2000 Server Resource Kit Tools

? Reg.exe from the Windows Server 2003 Resource Kit Tools

In both cases, you create a script file that is read by the tool to add a registry setting. The tool has to be run in the security context of a local administrator account.

Alternately, you can use network management software to change registry settings on managed computers.[/quote]

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

View solution in original post

0 Helpful
2 Replies 2

Go to solution
andrew.butterworth
Level 7
Level 7

‎10-29-2006 07:32 AM

I assume you have set up AD to automatically enroll the Machines for Certificates and the machines each have a Machine Certificate?

Have you enabled remote access for the machines (AD Users & Computers, enable dial-in or use Remote Access Policy?

Other than that I didn't have any problems setting this up.

If you want to enable computer-only authentication then you must edit the registry (or push the changes down through Group Policy):

[quote]

Enabling Computer-only Authentication Using the Registry

To configure computer-only authentication through the registry, all the Windows-based wireless clients must have the following registry value set:

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2

With the AuthMode setting set to 2, only computer authentication is attempted. User authentication is never attempted.

To add this registry setting on all of your computers running Windows, you can use the following tools:

? Regini.exe from the Windows 2000 Server Resource Kit Tools

? Reg.exe from the Windows Server 2003 Resource Kit Tools

In both cases, you create a script file that is read by the tool to add a registry setting. The tool has to be run in the security context of a local administrator account.

Alternately, you can use network management software to change registry settings on managed computers.[/quote]

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

0 Helpful

Go to solution
MITCH JOHNSON
Level 1
Level 1
In response to andrew.butterworth

‎10-31-2006 06:24 AM

You rock Andrew. I've been sweating bullets on this one for a while, thanks a lot.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents