Disabling Fallback to unauthorized network access in GPO RRS feed

  • Question

  • Hi,

    I am trying to control (disable) the "Fallback to unauthorized network access" settings via GPO from DC. How can I do it?


    Friday, July 22, 2011 5:40 AM

All replies

  • Hi,

    See http://social.technet.microsoft.com/Forums/en/winserverGP/thread/5d9c3b96-d231-420b-bd8e-7a248ab70040

    Answered by Mervyn Zhang:

    To configure Wired AutoConfig service, please try to configure the following policy:

    [Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Wired AutoConfig]

    To configure 802.1X wired settings,

    [Computer Configuration\Policies\Windows Settings\Security Settings\Wired Network]

    Sunday, July 24, 2011 6:31 AM
  • Hi Mervyn,

    Which settings in particular of [Computer Configuration\Policies\Windows Settings\Security Settings\Wired Network] allows me to disable "Fallback to unauthorized network access"?


    Monday, July 25, 2011 3:25 AM
  • Hmm after searching for this, I do not see it anywhere in wired or wireless settings (in GPO). I will ask around and see if this is actually missing from Group Policy.

    It might be necessary to set a registry key.


    Monday, July 25, 2011 4:21 AM
  • Hi,

    This might be a bug in Group Policy, but I am still asking about it.

    I've been told that this corresponds to the value of OneXEnforce in the XML profile. If you push a profile via Group Policy, it could be managed in this way. I realize this is not ideal and am still looking for more information.


    Monday, July 25, 2011 4:46 PM
  • Hi Greg,

    Thanks for the help so far. Are you able to provide more info on how to do it via registry keys as I am not familiar with XML profile.

    Also, kindly update if there is a way to achieve it via GPO.

    Have a nice day.

    Tuesday, July 26, 2011 4:50 AM
  • Hi,

    I asked for a registry key, but was told it doesn't work that way. It is controlled by the profile setting which is in XML. I'm not familiar with it either I'm afraid =(


    P.S. I do still have some questions remaining to be answered, and I'll post what I find out.
    Tuesday, July 26, 2011 8:40 AM
  • Hi,

    I found out that this setting was removed from Group Policy on purpose because it was dangerous. I am still trying to get details about how this setting can cause problems.


    Saturday, August 13, 2011 6:23 AM
  • Greg, Have you heard anything latest on this topic?

    I am also having similar requirement of managing "Fallback to unauthorized network access" via GPOs. One reason I can think of why this particular setting is dangerous is, the system will not fall back to guest/AuthFail network when authentication is failed. If this happens, computer will not come into the network.


    Sitaram Pamarthi

    Blog : http://techibee.com

    Follow on Twitter

    This posting is provided AS IS with no warranties or gurentees,and confers no rights

    Wednesday, April 18, 2012 9:24 AM
  • I found this thread while looking for the same GPO setting.

    There is an excellent resource created by David Marin Hebra on how to setup 802.1x for SCCM and MDT.
    In that document, it details how to export the wired policy to an XML file.

    netsh lan export profile folder=C:\Test\8021x interface="Local Area Connection"

    This XML file shows all the config that is applied via Group Policy, and can be added to a non GPO machine to see what all the settings do via the command:

    netsh lan add profile filename=C:\Test\8021x\"Local Area Connection.xml" interface="Local Area Connection"

    As stated by Greg, the setting corresponds to the OneXEnforced setting in the XML file.

    This is by default set to "False" - and this corresponds to the checkbox checked for "Fallback to unauthorized network access". If you set the XML entry to "True" and apply the profile, you will find that the checkbox is unchecked.

    This setting can be found in the GPO as "Enforce advanced 802.1X settings", if you set this policy setting and apply the GPO, you will find that the checkbox for "Fallback to unauthorized network access" is unchecked.

    Looks like you cant have one without the other.

    Wednesday, April 15, 2015 2:52 PM