Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Machine Authentication and 802.1x

I'm trying to get the machines to authenticate aginst active directory using 802.1x. This works great when I use PEAP and CHAP authentication. Works like a dream, no problems at all. But I need to verify that the machine is a part of the domain, the user will have to logon later anyway. It's important that our machines are verified as being a part of Active Directory and then authenticate the port to pass traffic.

I've followed all the documentation to get this working, what I'm looking for is something undocumented that made this work for others.

Any help would be greatly appreciated.

Thanks,

Mitch

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Machine Authentication and 802.1x

I assume you have set up AD to automatically enroll the Machines for Certificates and the machines each have a Machine Certificate?

Have you enabled remote access for the machines (AD Users & Computers, enable dial-in or use Remote Access Policy?

Other than that I didn't have any problems setting this up.

If you want to enable computer-only authentication then you must edit the registry (or push the changes down through Group Policy):

[quote]

Enabling Computer-only Authentication Using the Registry

To configure computer-only authentication through the registry, all the Windows-based wireless clients must have the following registry value set:

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2

With the AuthMode setting set to 2, only computer authentication is attempted. User authentication is never attempted.

To add this registry setting on all of your computers running Windows, you can use the following tools:

? Regini.exe from the Windows 2000 Server Resource Kit Tools

? Reg.exe from the Windows Server 2003 Resource Kit Tools

In both cases, you create a script file that is read by the tool to add a registry setting. The tool has to be run in the security context of a local administrator account.

Alternately, you can use network management software to change registry settings on managed computers.[/quote]

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

2 REPLIES

Re: Machine Authentication and 802.1x

I assume you have set up AD to automatically enroll the Machines for Certificates and the machines each have a Machine Certificate?

Have you enabled remote access for the machines (AD Users & Computers, enable dial-in or use Remote Access Policy?

Other than that I didn't have any problems setting this up.

If you want to enable computer-only authentication then you must edit the registry (or push the changes down through Group Policy):

[quote]

Enabling Computer-only Authentication Using the Registry

To configure computer-only authentication through the registry, all the Windows-based wireless clients must have the following registry value set:

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2

With the AuthMode setting set to 2, only computer authentication is attempted. User authentication is never attempted.

To add this registry setting on all of your computers running Windows, you can use the following tools:

? Regini.exe from the Windows 2000 Server Resource Kit Tools

? Reg.exe from the Windows Server 2003 Resource Kit Tools

In both cases, you create a script file that is read by the tool to add a registry setting. The tool has to be run in the security context of a local administrator account.

Alternately, you can use network management software to change registry settings on managed computers.[/quote]

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

New Member

Re: Machine Authentication and 802.1x

You rock Andrew. I've been sweating bullets on this one for a while, thanks a lot.

286
Views
0
Helpful
2
Replies