I’ve gotten a lot of questions recently about using 802.1X on the wired interface with Windows XP SP3. In the past few weeks I’ve also stumbled across a lot of forum posts, blogs and articles stating you ‘can’t do wired 802.1X with XP SP3.”
Well, sure you can! There is a little trick now, though.
As part of the move to the Microsoft NAP integration, they’ve broken out the wired and wireless supplicant management into two pieces. Until SP3, all 1X was handled in the Wireless Zero Configuration (WZCSVC) service. The wired 1X supplicant is handled now by a different service and must be manually started.
| In Windows XP SP3, the supplicants are each handled separately by these services… |
|
How do you start the Wired AutoConfig service? Two ways, the end user (or admin) can do it manually on the endpoint, or you can push it out with group policies.
Instead of duplicating a lott’a text, you can find detailed instructions for manual and pushed wired 1X configurations on Microsoft KB article 953650.
You can also learn more about Microsoft NAP integration in the Network Access Protection Q&A site.
# # #
Have you ever considered creating an e-book or guest authoring on other
sites? I have a blog based upon on the same ideas you discuss and would really
like to have you share some stories/information. I know
my visitors would value your work. If you’re even remotely interested,
feel free to shoot me an e mail.
can anybody point me in the right direction for this problem…
i have 802.1x set up, with an ias server (2003) on a domain controller.
auto enrolling the certificate.
all is good.
but.
i have a trust with a parent company domain, and would like to “push” out a certificate for them to be able to authenticate..
is this possible?
or do i have to apply via website of main domain from parenting domains client pc’s manually/
I have an issue when I upgraded the XP sp2 client to xp sp3. I made sure the wired autoconfig service is started and was able to deploy a script to change the settings using netsh lan command. Problem is that the authentication works for the primary IAS entered in the switches (HP procurve 2626) for SP2 and SP3 clients but will not work for secondary IAS/RADIUS server for the SP3 which seems strange, meaning I have not fault tolerance. I have tried changing the EAPOL settings and timouts to no avail. Any ideas anyone?
Thanks for the info. The “Authentication” tab under the ethernet interface was missing and had no idea what happened.
I started the Wired AutoConfig service and the authentication went just fine.
Good to here!
Now I just need to find the new SP3 templates (dont seem to be on my upgraded test system. MS has not made them available yet for d/l – go figure (;
Thanks again!
“
Tim, okay, I’m with ya now. So, you will need to upgrade to XP SP3 in order to push the 1X configurations out with GPO. The good news is, you can just use the 802.1X supplicant (don’t have to do NAP) in SP3.
Again, I’m not an AD person, but maybe make a new AD group to test with, put your SP3 machine(s) in there and test pushing out the 1X config.
I think that should work.
-jj
”
“
Thanks again
I should be more specific (for anyone else that might be reading this too)
I???m actually on SP2 now and testing SP3. I???m looking to actually config the supplicant settings for PEAP.
So on the NIC properties itself (authentication tab) – configure PEAP, the appropriate certificates are selected, and ensure that pass-through auth from the windows logon is enabled under EAP_MSCHAP.
I thought about trying to script it but one would have to grab the GUID of the NIC on each PC first (may be a problem when dealing with multiple NIC’s).
I was able to get everyone the certs from the radius/IAS server via GPO and was able to perform a custom script to adjust the XP SP2 AuthMode and SupplicantMode settings.
I had a bit of logon issues with the startup scripts for editing the GPO Processing policy in XP to be synchronous seems to have solved that issue.
But those actual PEAP settings via GPO or script allude me – thinking if I bring everyone to SP3 and use the NAC agent (without any policies for remediation) that may be easier.
Or maybe I need to stop being stubborn and look at Juniper.
Anyways, going to shoot you a LinkedIn invite
Look forward to your thoughts or anyone else that may be able to add something
”
“
Tim, check out this article and see if it applies to your situation. I’m assuming you’re rolling out 1X, and have already upgraded to SP3 (or are you still on 2?). I know there’s a group option for wired 1X in SP3 and later…
http://blogs.technet.com/networking/archive/2008/05/22/how-to-deploy-xp-sp3-in-an-existing-wired-802-1x-environment.aspx
-jj
”
“
Thanks
I did not see anything in that KB but did manage to find the GPO settings for NAP control.
Funny thing is we are not using NAP just 802.1x in open vlan mode on our procurve’s. (trying to keep it simple here as all I am really after is allowing domain users and flipping guests onto a guest vlan with internet only access)
It works well enough (once I worked out some kinks) but running around and clicking on PEAP on 400+ XP SP2 PC’s has been a challenege.
Its a shame that MS has not implemented a GPO for Wired 802.1x. We have been doing it with wireless for years via 2003 server GPO’s (took me less than a day to get 100 laptops up on it with the GPO’s)
Per your other post there is always Cisco and Juniper (having lunch with the Juniper rep on Friday – more because I like Legals Seafood) but after seeing the supplicant cost – ouch!
Anyways, thanks for the posts, looking forward to playing with NAP!
”
“
Hi Tim,
(Disclaimer: I’m not an AD expert) but yes, starting in SP3, you should be able to control 1X configurations from group policies. I think the KB article linked here covers that procedure.
Thanks!
-jj
”
“
Hello Jennifer,
I havnt seen any updates to the Group Policy Template .xls doc since XP SP3
Just curious if they added the ability to control the 802.1x supplicant in XP via GPO now that the services are split out?
”