Separate AuthMode and SupplicantMode settings for wired and wireless

Anyone know if there is a way to specify separate AuthMode and
SupplicantMode values (in
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parame ters\General\Global\AuthMo
de) for wired and wireless networks?

We're running 802.1x on both wired and wireless, but on the wireless side we
just want to do computer authentication and on the wired side we want to do
both computer and user authentication. It looks like I'm out of luck
because there's only one place to set the AuthMode setting and both
connections use it.

This is confusing though:

<quote from
http://www.microsoft.com/technet/its...q.mspx?pf=true >
Q.What is the purpose of the SupplicantMode registry value?

A.The SupplicantMode registry value
(HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Param eters
\General\Global\SupplicantMode) affects the behavior of an 802.1X supplicant
when sending EAP over LAN (EAPOL)-Start packets during 802.1X
authentication. The SupplicantMode value can be set to the following:
..0 - Disable IEEE 802.1X operation.
..1 - Never send an EAPOL-Start packet.
..2 - Automatically determine when to initiate the transmission of
EAPOL-Start packets. This is the default value for wired connections.
..3 - Send an EAPOL-Start message upon association to initiate the 802.1X
authentication process, for compliance with the IEEE 802.1X specification.
This is the default value for wireless connections.
</quote>

Notice how it says a setting of 2 is for wired connections is the default
and a setting of 3 is for wireless. ow can it have two different defaults if
it only allows you one place to set it for ALL connections?! I must be
missing something here...

-Andrew

"Diamontina Cocktail" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Andrew" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Anyone know if there is a way to specify separate AuthMode and
>
> Not answering your question directly but possibly giving you something
else
> to think about:
>
> From time to time I have to bring a stuffed tower home from work and fix
it.
> I have a wi-fi/wired modem/router and most of the computers I bring home
> don't have wi-fi inside them but DO have a wired NIC available. So, when I
> fix the machine, I plug it in, wired, to the router to get through without
> having to authorise at all (because that is the way I want it). However,
on
> those occasions that I bring a laptop or tower home that has wi-fi in it,
> when it is running again, it will NOT connect to my modem/router because I
> use MAC filtering or, in my modem/router's terms "Access List" which is
the
> same thing. MAC filtering isn't 100% foolproof to someone wanting to get
> into your system who knows how to but to the majority of people it is.
Yes,
> I *HAVE* brought a wi-fi enabled computer home before, fixed it and
entered
> the pass phrase into it and expected it to get on and wondered what the
heck
> was going on when it didn't, for a minute.
>
> Maybe you can get around your problem using MAC filtering?

Thanks for your reply, Diamontina. Actually your suggested solution is the
one we're using for non-802.1x clients (printers, etc.). Unfortunately,
because we have so many clients (we have thousands of machines), doing MAC
filtering would require too much work to manage (I'm lazy :-). In addition,
we also have to put the 802.1x clients into their own dynamic VLAN depending
on their userID for additional security measures, which as far as I know can
only be done with 802.1x.

I was looking around in the registry today and was wondering if the AuthMode
and SupplicantMode DWORDs could be set somewhere in
HKLM/Software/Microsoft/EAPOL/Parameters/Interfaces for each interface (the
default is HKLM/Software/Microsoft/EAPOL/Parameters/General/Global).