Configuring 802.1x Authentication for Windows Deployment – Part 1 – Building an 802.1x Computer Authentication Script

This is Part 1 in my Configuring 802.1x Authentication for Windows Deployment series. Be sure to check out all of the other parts here.

The Anatomy of an 802.1x Configuration Script

These are the basic steps need to be performed by your auth script. The code below is commented to help understand what each step is for.

  • Set Wired Autoconfig (dot3svc) service startup to Auto
  • Start Wired Autoconfig
  • Import Configuration Profile
  • Import Certificates
  • Force adapter authentication event

You may be looking at this and wonder why I’m creating a Batch file instead of using PowerShell. Well, I made one with PowerShell but found that our Windows 7 machines had PowerShell 3.0 installed and some of my cmdlets wouldn’t work. The Batch file is robust enough to just work in all cases, so it wins. Plus, it’s easier for anyone to edit/support without needing PowerShell skills. Who knows, I may post the PS code at the end of the series.

Save this code as ImportComputerAuthProfile.bat

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
REM this line will fail in PE but is needed in Windows
REM set the Wired AutoConfig service to automatically start
sc config "dot3svc" start= auto

REM start the Wired AutoConfig service
Net Start dot3svc

REM Import Root certificate
certutil.exe -addstore Root "%~dp0Certs\root.cer"

REM Import Computer Certificate
certutil.exe -ImportPFX -f -p P@ssword "%~dp0Certs\ComputerAuthCert.pfx"

REM Import Computer Auth Profile to all LAN interfaces
netsh lan add profile filename="%~dp0ComputerAuthProfile.xml" interface=*

REM Force all interfaces to reconnect
netsh lan reconnect interface=*

REM change the interface name to match your interface name(s). We have 2 in our environment.
REM Disable then Enable the adapter named Ethernet
netsh interface set interface name="ethernet" admin=DISABLED
netsh interface set interface name="ethernet" admin=ENABLED

REM Disable then Enable the adapter named Local Area Connection
netsh interface set interface name="Local Area Connection" admin=DISABLED
netsh interface set interface name="Local Area Connection" admin=ENABLED

REM Pause the script for 30 seconds to allow the adapter to Auth
ping localhost -n 30

REM Show the interface to see the status and show profiles to see which profile is applied.
netsh lan show interfaces
netsh lan show profiles

REM Add >> C:\Temp\LogFileName.log to any line to pipe the results to a log file.

Creating a Computer Authentication Profile

Each LAN interface can only have 1 Profile applied to it at any time. If you manually configure the profile then apply GPO, the GPO profile will take the place of the local profile. More on this in the Tips and Tricks post. When you are first configuring and testing your script, it may be helpful to take the working GPO profile and use it to start with, however, if you need to make any customizations or adjustments to the profile, be sure to work from a machine that doesn’t have an 802.1x GPO applied. Also, your script will fail to import your custom profile if an 802.1x GPO is applied, so you will need a non-GPO machine to test with anyway.

Group Policy Created Profile

Skip to the Export steps below

Manually Creating A Profile

Start this process on a clean machine that doesn’t have IEEE 802.1x Policies applied, otherwise you will have trouble. You can configure 802.1x Authentication on your LAN adapter in Windows by going to the Network Connections pane in the Control Panel. From there, right click on the adapter and click on the Authentication tab. If you don’t see it, you will need to go enable and start the Wired Autoconfig service. Now you can configure authentication to match what is expected by your 802.1x service.

**Note:**When I exported my config then tested in Windows on another machine, it all worked fine, but when I tested in WinPE, I found that authentication would fail. I talked with my Security guy and he suggested removing the Verify server’s identity… checkboxes from the profile. Once we did that WinPE authentication began working.

A Square Dozen Image

To create your own profile, follow the screen shots below (Note:GPO is applied in these, so everything is greyed out).

A Square Dozen Image

A Square Dozen Image

A Square Dozen Image

Exporting Your Profile

Follow these steps to export your profile into an XML file.
Show the interfaces on the system.

netsh lan show interfaces

Use the interface name from the previous command in the interface=’’ parameter below

netsh lan export profile folder=c:\temp interface="Ethernet"

Grab the XML file and rename it to ComputerAuthProfile.xml and save it with your batch file.

Here’s a copy of a working WinPE Computer Authentication profile. Your mileage my vary.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
<LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1">
    <MSM>
        <security>
            <OneXEnforced>false</OneXEnforced>
            <OneXEnabled>true</OneXEnabled>
            <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
                <cacheUserData>false</cacheUserData>
                <maxAuthFailures>3</maxAuthFailures>
                <authMode>machine</authMode>
                <EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><DifferentUsername>false</DifferentUsername><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig>
            </OneX>
        </security>
    </MSM>
</LANProfile>

Gathering your Certificates

You will need to export your Root CA Certificate and a Computer certificate to use. I just went into my local certificate store and exported them. The root cert should be a .cer extension. The computer cert (Client Authentication) should contain the private key and be password protected (pick any password - you will need to add it to the batch file). Save the computer cert as a .pfx extension. Name them Root.cer and ComputerAuthCert.pfx and put them in a Certs folder with your batch file. If you need help with this step, please consult The Googler, there are plenty of great resources for this.

Putting It All Together

At this point, you should have the following:

  • ImportComputerAuthProfile.bat - A 802.1x configuration script (A De-ISE-ing script for Cisco ISE).
  • ComputerAuthProfile.xml - A computer authentication profile XML file
  • Root.cer - A valid root CA Certificate
  • ComputerAuthCert.pfx - A valid computer certificate (any valid AD joined device should work)

Place all of the files into the same folder with the certificates in a sub folder named Certs. Update the batch file with the password that you selected for your computer certificate and ensure that all of the other pathing in the script matches what you have. To test, you will need a machine that doesn’t have an 802.1x group policy already applied. Run the script. You should see the adapter attempting authentication and then connect to your 802.1x network. If it fails, reconfigure and re-export the profile and or certs and try again.

Part 2 covers configuring WinPE for 802.1x.