Tuesday, November 30, 2010

Automating dot1x configuration for wired connections


As most of IT professional know that dot1x for wired authentication on a Windows XP SP3, can be enabled by starting the Wired AutoConfig service. After this service startup, you should see the authentication tab in the properties of the local area connection. Also you have to add the authmode and supplicantMode registry keys. These keys need to be added as REG_DWORD values that can be added under HKLM\Software\Microsoft\EAPOL\Parameters\General\Global.
Both tasks for starting the service and adding registry keys, can be automated.
Once the authentication tab appears, you will be able to configure dot1x authentication.

The question is how to automate this dot1x configuration ?
On win7 and Windows Vista, it is possible to have this configuration automated either by group policy configuration or through vbscript ( as the msdn library for windows7 and windows vista contains the properties/method of dot1x authentication, while these methods/properties are not available for WinXP).
First, I configured a PC with the required dot1x authentication settings, then I used netsh to export the profile on a PC,
C:\SimpleBlogs>netsh lan export profile folder=c:\SimpleBlogs\DataFiles interface="Local Area Connec
tion"
Interface: Local Area Connection
Profile File Name: c:\SimpleBlogs\DataFiles\Local Area Connection.xml
1 profile(s) were exported successfully.
C:\SimpleBlogs>

Then create a batch file with the netsh that imports this profile. Apply the batch file as start up script on all PCs. here what is written inside the batch file: (I renamed my "Local Area Connection.xml" file to LANDot1XProfile.xml)
netsh lan add profile filename="C:\SimpleBlogs\DataFiles\LANDot1XProfile.XML" interface="Local Area Connection"You can store the xml file on a shared folder.
If you take a look at the xml file, you see that the IP addresses is not in this configuration, you see that the only section that is exported is the security.<?xml version="1.0" ?>



.....
</security>
</MSM>
</LANProfile>- <LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1"> - <MSM> - <security> so the batch file will be:
netsh lan add profile filename="\\Server1\SHARE1\LANDot1XProfile.xml" interface="Local Area Connection"What you need now is to apply this batch file as a startup script with a group policy
-----
Posted by CCIE consultant at 6:48 PM 0 comments
Subscribe to: Posts (Atom)