none
Windows 7, RDP and 802.1x authentication RRS feed

  • Question

  • If I connect to my computer with RDP, the 802.1x authenticated network disconnects, and therefore also my RDP conection. Windows 7 Professional x64. 802.1x Auth is over LAN/RJ45 so no wlan issues.
    Tuesday, April 12, 2011 7:48 PM

Answers

  • What is the system of the Remote Desktop client computer? If it is Windows XP, you may look at this:

    Wireless LAN Support in Windows: Frequently Asked Questions
    http://technet.microsoft.com/en-us/network/dd727529.aspx

    Q. Do Remote Desktop connections work to Windows wireless clients that use 802.1X authentication?

    A. Not at this time. All 802.1X-based wireless connections are affected, including those using EAP-TLS or PEAP-MS-CHAP v2. Connections using a static WEP key or WPA-PSK are not affected. Microsoft has addressed this issue in Windows Vista and Windows Server 2008.

    If you want to work around this,

    The xp sp3 802.1x authenticated pc network is down when use remote desktop connection tools
    http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/962e1642-6b09-4b38-ac29-fdc3d90caee3


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Thursday, April 14, 2011 8:58 AM
    Moderator

All replies

  • What is the system of the Remote Desktop client computer? If it is Windows XP, you may look at this:

    Wireless LAN Support in Windows: Frequently Asked Questions
    http://technet.microsoft.com/en-us/network/dd727529.aspx

    Q. Do Remote Desktop connections work to Windows wireless clients that use 802.1X authentication?

    A. Not at this time. All 802.1X-based wireless connections are affected, including those using EAP-TLS or PEAP-MS-CHAP v2. Connections using a static WEP key or WPA-PSK are not affected. Microsoft has addressed this issue in Windows Vista and Windows Server 2008.

    If you want to work around this,

    The xp sp3 802.1x authenticated pc network is down when use remote desktop connection tools
    http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/962e1642-6b09-4b38-ac29-fdc3d90caee3


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Thursday, April 14, 2011 8:58 AM
    Moderator
  • I`m using Windows 7 clients over a wired 802.1x authenticated network and I`m using user certificates. The authentication server is NPS radius on Windows Server 2008 R2 and so is the AD server and CA as well. When I do a remote Desktop to a client machine the connection stays up for a couple minutes ant then 802.1x close the port on the switch. Is there a way around this?

     

    Any bits would help, I have been struggling with this for a while now.

    Regards,

    Thursday, April 21, 2011 5:51 PM
  • Hello mlaniel,

    I'm facing the issue right now. Same problem. Were you able to solve it somehow?

     

    Thank you and best regards

    Friday, October 28, 2011 12:24 PM
  • Hi,

    Have the same issue, did you find a solution for this?

    Cheers

    /Jason

    Tuesday, July 31, 2012 9:48 PM
  • Hi,

    I have exactly the same issue. IT policy disabled machine authentication therefore, this not an option for me.

    Did anyone find a solution or workaround that works with user authentication?

    Thanks, 

    SM.

    Monday, August 27, 2012 8:59 AM
  • I had the same problem, only difference is that I run Windows 8 (x64)

    I think I found a solution for 802.1x protected wired networks using PEAP where you have to authenticate yourself using EAP-MSCHAP v2 (i.e. you log in with a username and a password). But I think that this could work for other scenarios as well with a few modifications.

    For the steps in the solution I assume the following: (Adjust the commands with the names that apply to your system)

    • You have configured an Ethernet network controller to support 802.1x authentication by following the steps described here: http://windows.microsoft.com/en-sg/windows-vista/enable-802-1x-authentication
      The name of the network controller that connects to the protected network is called Ethernet
    • You have created an XML-file with the login credentials for your network. The file follows the schema defintion for Eap User credentials (Example further down). This file has been saved as EapUserData.xml
    • You have opened a command line window with administrative rights and have navigated to the directory where you save the credentials file (EapUserData.xml)

    Example for a Eap Credentials file: (You'll probably only want to change the username and password)

    <?xml version="1.0"?>
    <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
      <EapMethod>
        <eapCommon:Type>25</eapCommon:Type>
        <eapCommon:AuthorId>0</eapCommon:AuthorId>
      </EapMethod>
      <Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1" xmlns:MsPeap="http://www.microsoft.com/provisioning/MsPeapUserPropertiesV1" xmlns:MsChapV2="http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1">
        <baseEap:Eap>
          <baseEap:Type>25</baseEap:Type>
          <MsPeap:EapType>
            <baseEap:Eap>
              <baseEap:Type>26</baseEap:Type>
              <MsChapV2:EapType>
                <MsChapV2:Username>SomeMysticalUser</MsChapV2:Username>
                <MsChapV2:Password>SomeMysticalPassword</MsChapV2:Password>
                <MsChapV2:LogonDomain></MsChapV2:LogonDomain>
              </MsChapV2:EapType>
            </baseEap:Eap>
          </MsPeap:EapType>
        </baseEap:Eap>
      </Credentials>
    </EapHostUserCredentials>

    Follow the following steps:

    1. Sice you are currently reading this, it is assumed that you are currently connected to and authenticated in your protected network. Execute the following command to delete your current 802.1x user profile.
      netsh lan delete profile interface=Ethernet
    2. A dialog will probably pop up asking you to provide login credentials which you have just deleted. Press Cancel. As a result you should now be disconnected from the internet or at least the status of the Ethernet network controller should read something like: "Authentication failed"
      Repeat this step anytime the dialog pops up during the next steps.
    3. Since we deleted the profile for LAN-authentication, Windows has just created a new profile for the Ethernet network controller with the default settings. Change these settings to usermode only using the following command:
      netsh lan set profileparameter authMode=userOnly interface=Ethernet
    4. Now, set the user credentials for the connection by getting netsh to parse your credentials XML-file. Use the following command:
      netsh lan set eapuserdata allusers=no filename=EapUserData.xml interface=Ethernet
      Note that we specify the parameter allusers and set it to "no". For some reason we have to first set the credentials for the current user only and then have to set it for all users. After this step you should be connected to and authenticated in your protected network again.
    5. Finally, set the EAP user data to be used for all users using the following command:
      netsh lan set eapuserdata allusers=yes filename=EapUserData.xml interface=Ethernet

    All users on your local computer (as well as users that log onto the local computer from a remote location should now be able to login to the network using the provided authentication.

    In Windows 8 for example, you will (hopefully) notice that the network connection icon on the login screen shows the status Connected even before any user is logged in. I assume this is because the parameter allusers also includes NT-Authority and System accounts.

    • Proposed as answer by fredrik92 Friday, May 31, 2013 4:43 PM
    • Edited by fredrik92 Friday, May 31, 2013 4:52 PM Added conclusion
    Friday, May 31, 2013 4:43 PM
  • Properties

    Authentication

    Additional Settings

    802.1X settings

    Specify authentication mode (User Authentication)

    Save credentials (User name , Password) 



    • Edited by zhaojiaxing Thursday, September 5, 2013 8:02 AM
    Thursday, September 5, 2013 7:57 AM
  • nice way to not answer the question moderator, as stated its a "WIN7" question not xp.  So I don't see how this is a legit "answer" when the os behaviour is greatly different.
    Friday, February 28, 2014 5:36 PM