802.1X supplicant & server authentication & registry

Hello,

I am trying to deploy wired 802.1X to a large number of (Windows 2000
and Windows XP) client computers, in an AD environment.

So far, what needs to be deployed on those client computers seems to be:

- Start the "Wireless Zero Configuration" (XP) or "Wireless
Configuration" (200) service, achievable through the key "Start" under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WZCSVC and
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W ZCSVC\

- Set the desired SupplicantMode under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parame ters\General\Global\

- Set the desired AuthMode under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parame ters\General\Global\

- Grab the 802.3 interfaces from
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\

- Set the EAPOL parameters under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parame ters\Interfaces\{Interface_ID}\1
That's where things start to get complicated.
Since I want to use PEAP, computer authentication and the user's domain
credentials, it seems that I need to tweak this registry entry so that
bytes 11 and 12 are "c0" and "19".
There is one thing that seems significantly more complicated: server
authentication.
I do not want my 802.1X supplicant starting authenticating against any
Radius server just because it is there.
So, I want server authentication, using my CA.
On the GUI, it is fairly easy: under PEAP properties, I check "Validate
server certificate", uncheck "Connect to these servers" and check my CA
in the list of trusted root certification authorities.
In the registry, however, it seems to be involving a lot of bytes in the
key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parame ters\Interfaces\{Interface_ID}\1,
and the bytes that need to be changed seem to depend on the list of
known root certification authorities. And on the OS (2000 or XP).

Anybody having already fiddled with such settings?
Or anybody having some documentation on this "magic" key?


Thanks


Guillaume Tamboise

As far as I know MS doesn't provide means of managing 802.1x for wired
connections. You probably can use regmon when changing trusted CA properties
to find out where it sits though.

Some interesting reading on the topic:

802.1X on wired networks considered harmful
(http://blogs.technet.com/steriley/ar...11/409021.aspx)


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-


"Guillaume Tamboise" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> I am trying to deploy wired 802.1X to a large number of (Windows 2000
> and Windows XP) client computers, in an AD environment.
>
> So far, what needs to be deployed on those client computers seems to be:
>
> - Start the "Wireless Zero Configuration" (XP) or "Wireless
> Configuration" (200) service, achievable through the key "Start" under
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WZCSVC and
> HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W ZCSVC\
>
> - Set the desired SupplicantMode under
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parame ters\General\Global\
>
> - Set the desired AuthMode under
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parame ters\General\Global\
>
> - Grab the 802.3 interfaces from
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\
>
> - Set the EAPOL parameters under
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parame ters\Interfaces\{Interface_ID}\1
> That's where things start to get complicated.
> Since I want to use PEAP, computer authentication and the user's domain
> credentials, it seems that I need to tweak this registry entry so that
> bytes 11 and 12 are "c0" and "19".
> There is one thing that seems significantly more complicated: server
> authentication.
> I do not want my 802.1X supplicant starting authenticating against any
> Radius server just because it is there.
> So, I want server authentication, using my CA.
> On the GUI, it is fairly easy: under PEAP properties, I check "Validate
> server certificate", uncheck "Connect to these servers" and check my CA
> in the list of trusted root certification authorities.
> In the registry, however, it seems to be involving a lot of bytes in the
> key
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parame ters\Interfaces\{Interface_ID}\1,
> and the bytes that need to be changed seem to depend on the list of
> known root certification authorities. And on the OS (2000 or XP).
>
> Anybody having already fiddled with such settings?
> Or anybody having some documentation on this "magic" key?
>
>
> Thanks
>
>
> Guillaume Tamboise