802.1x settings - GPO? Script? - long, but I have a solution!
From: Aaron (aaron_at_prototype.bpa.nu)
Date: 06/11/05
- Next message: Oliver Jung: "Problem with xcacls.vbs"
- Previous message: Folder Security: "File Folder Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 11 Jun 2005 19:06:07 +1000
Like so many other people, I've been looking for a group policy or script to
set a Win2k (or XP) client to enable 802.1x authentication with PEAP on a
wired NIC, without having to sit at every one of several thousand PCs...
i've come up with a solution, and for the sake of karma, i'll share
Microsoft's responses seem to flip between 'wait for Longhorn' and 'dont use
dot1x - use IPSec' and '1x is a wireless standard' - HELLO?! MS, you've
missed the point of dot1x, it was developed for wired, its a layer 2 thing,
IP-SEC is layer 3... granted, dot1x AND IP-Sec is a powerful combination,
but they're not in the same space, the purpose is totally different!!! WE,
IN THE CORPORATE WORLD, WANT DOT1X!!!!!
now that that rant is over...
I've not found an out of the box solution for configuring dot1x on wired
networks, no GPO that could deal with wired NICs, and contrary to many
suggestions Win32_NetworkAdapterConfiguration and Win32_NetworkAdapter
classes dont seem to be the answer either. So started considering reg
patches and a custom *.adm... problems there too - the settings live in a
reg key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces\<GUID of
Nic>\<200-odd byte Reg_bin>
Nic GUIDs are different between machines, so, all we need a script that can
get the GUID of the NIC, and re-write the reg value... oh, and it has to
work on 2k and XP
couple of probs...
What is the GUID of the NIC in any given PC?
It appears that the 'defaults' for our nice long hex string are different
between 2k and XP
What the hell does that big long hex string mean?
How can we re-write it? - bear in mind that GPO's dont get along with
binary, and vbs isn't great at converting between bases, and the RegWrite
method has a limit on the size of the number it can handle...
lets start with the GUID... thats easy enough...
we use WMI to get the DeviceID of all the 'real' network devices - we dont
care about firewire, bluetooth, ras, vpn etc - so, we want
AdapterType="Ethernet 802.3"
Then we look up:
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\<DeviceID>\NetCfgInstanceId"
We may still have more than one NIC, so throw it in an array...
heres some demo code(it'll display 'em for you too):
Dim oWshShell, oWMISvc
Set oWshShell = Wscript.CreateObject("Wscript.shell")
Set oWMISvc = GetObject("winmgmts:\\.\root\cimv2")
Dim arrNicGUID()
iGUIDCount=0
For Each oNicGUID In oWMISvc.ExecQuery("select * from
Win32_NetworkAdapter where AdapterType=" & chr (34) & "Ethernet 802.3" &
chr(34))
szNicInstanceID = Right(("000" & oNicGUID.DeviceID),4)
szNicGUID =
oWshShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\"_
& szNicInstanceID & "\NetCfgInstanceId")
ReDim preserve arrNicGUID(iGUIDCount)
arrNicGUID(iGUIDCount) = szNicGUID
iGUIDCount = iGUIDCount + 1
Next
For i = 0 To UBound(arrNicGUID)
WScript.Echo arrNicGUID(i)
Next
Now, the awkward part, the reg changes... a bit of trial and error shows us
that the 12th and 13th pairs of bytes are the ones that do the magic - for
our needs they should be e0 19 - your mileage may vary...
The trick we're gonna play, is, for each GUID we found, we'll pull the
current hex value out of the reg, write a file to a temp location with the
appropriate bytes changed, then we'll import the file into the reg.
when we read the binary data out of the reg, it comes out as an array, which
suits our purpose quite nicely. There's a couple of other keys we edit in
the process, and obviously, the file needs to look like a reg patch, replace
the last for loop of the previous sample with:
Dim oFSO,oTFOReg
szRegFile = "C:\Temp\EAPOL.reg"
Set oFSO = CreateObject("Scripting.FileSystemObject")
Set oTFOReg = oFSO.OpenTextFile(szRegFile,2,True)
oTFOReg.WriteLine("Windows Registry Editor Version 5.00")
oTFOReg.WriteBlankLines(1)
oTFOReg.WriteLine("[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]")
oTFOReg.WriteLine(chr(34) & "SupplicantMode" & chr(34) &
"=dword:00000003")
oTFOReg.WriteLine(chr(34) & "AuthMode" & chr(34) & "=dword:00000001")
For iGUID = LBound(arrNicGUID) To UBound(arrNicGUID)
oTFOReg.WriteBlankLines(1)
oTFOReg.WriteLine
"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces\" &
arrNicGUID(iGUID) & "]"
oTFOReg.Write chr(34) & "1" & chr(34) & "=hex:"
arrEAPOLSet =
oWshShell.RegRead("HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces\"&
arrNicGUID(iGUID) & "\1")
For iEAPOLByte = LBound(arrEAPOLSet) To 10
oTFOReg.write hex(arrEAPOLSet(iEAPOLByte)) &","
Next
oTFOReg.Write "e0,19"
For iEAPOLByte = 13 To UBound(arrEAPOLSet)
oTFOReg.write "," & arrEAPOLSet(iEAPOLByte)
Next
oTFOReg.writeLine()
Next
oTFOReg.Close
oWshShell.Run"regedit /s " & szRegFile, 1, TRUE
Now, we just slap together a GPO to run it as a startup script, and to set
the wzcsvc startup to auto...
we've also thrown it into our soe image to run on first boot (now that its
live, it wont get the gpo if the patch hasnt already applied)
the production version we're using also has error handling code (there are
frequent flaws with reporting of adapter type, resulting in errors reading
the EAPOL parms), and writes a serial number to the reg and checks if it
needs to updates etc, i'll let you polish it all yourself...
It's a bit on the nasty side, but it works. And if you think my VB skills
suck, shut up! i'm a sysadmin, not a developer
...now, my question to all of you, how do i get a 1x supplicant up and
running in WinPE (for our soe deployment)???
- Next message: Oliver Jung: "Problem with xcacls.vbs"
- Previous message: Folder Security: "File Folder Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
