locked
Ignore Username just authenticate with Workstation ID RRS feed

  • Question

  • Can I authenticate (802.1x) an XP Client using a workstation?  Yes.
    Can I authenticate a XP Client using a username? Yes.

    Can I choose NOT to authenticate using the username and just use the workstation?

    Basically I want to authenticate my workstations, not my users.  I don't care who you are, I just care that workstation X is workstation X and workstation X gets autheticated.  This works becuase I know I get an IP before the user actually logs in, however when they log in it authenticates again.  I just want to ignore that.  Is that possible?
    Friday, September 25, 2009 7:58 PM

Answers

  • I did find this in that article you sent me MapPAM: - Thanks!

    Using Computer-only Authentication

    Some network administrators want to use only computer authentication. By using only computer authentication, a client computer must perform computer-level 802.1X authentication with an authenticating switch using either a computer certificate (when using EAP-TLS authentication) or the computer's account name and password (when using PEAP-MS-CHAP v2 authentication) before it can access the organization network. With computer-only authentication, only valid computers can connect to the wired network. Computers that do not have a computer account in the organization's domain cannot connect. This prevents users from bringing computers from home and connecting to the organization's wired LAN. Home computers represent a threat to the organization network because they are not managed in the same way as member computers and can introduce viruses or other malicious programs into the organization network.

    For more information about computer authentication and user authentication, see the "Wireless Deployment Technology and Component Overview" at http://www.microsoft.com/technet/network/wifi/wificomp.mspx.

    To configure computer-only authentication for wired clients, all the Windows-based wired clients must have the following registry value set:

    HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2

    With the AuthMode setting set to 2, only computer authentication is attempted. User authentication is never attempted.

    To add this registry setting on all of your wired clients computers running Windows, you can use Reg.exe from the Windows Server 2003 Resource Kit Tools.

    In both cases, you create a script file that is read by the tool to add a registry setting. The tool has to be run in the security context of a local administrator account.

    Alternately, you can use network management software to change registry settings on managed computers.

    • Marked as answer by Mervyn Zhang Friday, October 2, 2009 8:16 AM
    Wednesday, September 30, 2009 12:26 PM

All replies

  • Hi GunnarWB,
       What do you mean by Workstation Authentication ? is it MAC Address Authentication ? If it is MAC Address Authentication , then NPS  supports this very well.

    Thanks
    -RamaSubbu SK
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Saturday, September 26, 2009 6:05 PM
  • I believe that what you are looking for is called "Computer-only Authentication". By default Windows XP SP3 is set to do both computer and user authentication. We are using this as well.

    You can find information on this here: http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=05951071-6B20-4CEF-9939-47C397FFD3DD&displaylang=en

    The easiest way is to do it via Group Policy on Server 2008. Everything else requires some manual work.
    Tuesday, September 29, 2009 7:08 AM
  • Actually all I did to make teh computer-only authentication work was great a group of computers and add that group to my policy condition.  It's working... for hte most part.  I'm still having trouble getting all my clients to work.

    I have yet to find any documentation that tells me how to setup a client, I know I have to enable "Wired AutoConfig" and "NAP Agent" on the XP SP3 machine but I haven't found a document that even tells me that! 

    MadPAM if you can give me some better information than that doc, I'd really like to hear what the proper way of doing computer-only authentication, like I said I have it working but I'd love to see a document telling me I'm doing it right.

    Gunnar

    Wednesday, September 30, 2009 12:20 PM
  • I did find this in that article you sent me MapPAM: - Thanks!

    Using Computer-only Authentication

    Some network administrators want to use only computer authentication. By using only computer authentication, a client computer must perform computer-level 802.1X authentication with an authenticating switch using either a computer certificate (when using EAP-TLS authentication) or the computer's account name and password (when using PEAP-MS-CHAP v2 authentication) before it can access the organization network. With computer-only authentication, only valid computers can connect to the wired network. Computers that do not have a computer account in the organization's domain cannot connect. This prevents users from bringing computers from home and connecting to the organization's wired LAN. Home computers represent a threat to the organization network because they are not managed in the same way as member computers and can introduce viruses or other malicious programs into the organization network.

    For more information about computer authentication and user authentication, see the "Wireless Deployment Technology and Component Overview" at http://www.microsoft.com/technet/network/wifi/wificomp.mspx.

    To configure computer-only authentication for wired clients, all the Windows-based wired clients must have the following registry value set:

    HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2

    With the AuthMode setting set to 2, only computer authentication is attempted. User authentication is never attempted.

    To add this registry setting on all of your wired clients computers running Windows, you can use Reg.exe from the Windows Server 2003 Resource Kit Tools.

    In both cases, you create a script file that is read by the tool to add a registry setting. The tool has to be run in the security context of a local administrator account.

    Alternately, you can use network management software to change registry settings on managed computers.

    • Marked as answer by Mervyn Zhang Friday, October 2, 2009 8:16 AM
    Wednesday, September 30, 2009 12:26 PM
  • Glad to know you issue was resolved.
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Friday, October 2, 2009 1:37 AM
  • I am a question about 802.1x and machine authenication.  We implemented Peap-mschapv2 and it worked until the workstations reached the default 30 day password period mentioned in this microsoft article http://support.microsoft.com/kb/904943.  User authenication only seems to work for cached logins once the workstation fails.  This is a laptop environment where the laptops are used by multiple users.  

    EAP-TLS seems my only other option but I didnt want to deal with user certificates.  If I work with workstation only certificates then what happens in the case where a certificate expires while a laptop is offline for an extended period.  If we had autoenrollment configured if the laptop with the expired certificate tries to connect will it just fail to connect like the deal with passwords and mschapv2 or will the laptop be able to renew.  Seems like if the workstation cert is expired it might just fail and I would have to connect to network over a wired network like we currently have to with peap with the workstation password expires.

    thanks.
    Friday, January 8, 2010 3:20 AM
  • sccmintraining,

    If you use computer certificates, there will be a period (by default 6 weeks) were computers will request a new certificate automatically from the CA before their old certificate expires.

    Once the certificate has expires and the machine was not on the network to get a new one, access will be denied.

    Hope that helps
    MadPAM
    Tuesday, March 9, 2010 6:56 AM
  • It's been awhile since I posted, I've created a lot of in-depth documentation on how to get all of this to work, I think the online documentation is lacking in ease of understanding.  I just made a quick guide today on all the steps needed to setup a new Group of workstations running on a private VLAN, here it is:

    NAP Quick Setup Guide:

    Active Directory Users and Computers

    ·         Create NAP Group for department. 

    o   Example: NAP-Sales

    ·         Add NAP Group to all workstations in the department.

    Network Policy Server

    ·         Add new VLAN Policy. 

    o   Right click a current VLAN policy and select Duplicate Policy.

    o   Change the name of the new policy to reflect the correct VLAN and Department.

    §  Example: VLAN13 – Sales

    o   Change the condition so that the NAP Group you just created is the group that the new policy refers to. 

    o   Change the VLAN Tunnel-Pvt-GroupID to match the VLAN that you will be using.

    §  Example: 13

    Switch Setup:

    ·         Log into the switch and create the new VLAN.  Example VLAN 13.

    ·         Give the VLAN a name equal to that of the Department that will be using this VLAN 

    o   Example: SALES

    ·         Give the VLAN an IP address.  Use this addressing pattern.  192.168.<VLAN>.1

    o   Example: 192.168.13.1

    ·         Assign the IP Helper Address to point to the DHCP server.

    o   Example: 192.168.1.10

    DHCP Setup:

    ·         Create a new Scope using the Department name as the Scope name

    Make sure to add the router entry for this VLAN

    Group Policy:

    ·         Add the NAP Policy to the OU of the Department you are deploying NAP to.

    Internet:

    • Create an entry in the firewall for the new subnet, otherwise Internet access will cease to work.
    THis guideline is obviously for my network but gives you the steps, I don't explain how to make the rules in the NPS server nor do I explain how to create a NAP Group Policy.  This is meant to be a check list when deploying NAP clients.
    Wednesday, March 10, 2010 7:52 PM