|
Home > Archive > Radius Server > February 2007 > Configure Auth (802.1X) settings for Win2000 Clients
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Configure Auth (802.1X) settings for Win2000 Clients
|
|
| Brian S 2007-02-01, 1:18 pm |
| Windows 2000 Domain
Windows 2000 Workstation
HP Procurve 2650 Switches
Authentication method – PEAP-MSCHAPv2 (configured to authenticate as computer)
Switches point to primary and secondary IAS svr with policies configured to
assign VLAN’s “on the fly”
Once I configure a port on the switch for 802.1X, then configure a client to
authenticate using 802.1X (with all the appropriate settings on the Local
Area Connection/Authentication Tab) everything works as designed. Based on
the policy for IAS the client is assigned X VLAN. If the client does not
authenticate then the client is placed (or better yet kept) in the
Unauthorized VLAN (segregated from the rest of the network). Now for my
problem:
A large portion of my clients cannot configure their Local Area
Connection/Authentication Tab setting themselves. I know you have to have
admin privileges to configure the Local Area Connection/General Tab, however,
performing tests as a non privileged user has given me mixed results for
changing the Authentication tab settings. I am pretty sure it’s a Group
Policy that is causing the issue. The ones that can’t do it see all greyed
out selections when they go to the Auth tab. WindXP clients work no matter
what. On WIN2K if I stand up a new workstation and add to domain it goes
into the default Computers container in AD. I tested numerous times and non
privileged users can go in to Authentication tab and make changes. Once I
place into our “production” OU it will then break and it’s greyed out with
non privileged users. Note that doing this test with XP produces no change.
I can’t find a setting in the group policy that would be changing this type
of permissions. What right or permission set does a regular user need to
administer their authentication settings? I cannot deploy this using the
Wireless GP template as that works for only WIN2003/XP, and I also cannot
give users admin privileges, even if it’s just on their own workstations. I
have looked into a way to deploy via scripting and never found a way to
accomplish this task that way. Is my only solution to walk around and
configure manually? I have over 500 clients at this one site, not including
the other sites. Your help would be greatly appreciated. Thanks!
| |
| rt-seb 2007-02-01, 7:22 pm |
| Hello Brian,
I've written a tool that distributes 802.1x settings for LAN adapters.
This tool can be used for W2k and WinXP. It could be integrated into
any software distribution management. If you're interested in, you can
contact me privately: discuss(at)rt-solutions.de
Sebastian
"Brian S" wrote:
> Windows 2000 Domain
>
> Windows 2000 Workstation
>
> HP Procurve 2650 Switches
>
> Authentication method – PEAP-MSCHAPv2 (configured to authenticate as computer)
>
> Switches point to primary and secondary IAS svr with policies configured to
> assign VLAN’s “on the fly”
>
>
> Once I configure a port on the switch for 802.1X, then configure a client to
> authenticate using 802.1X (with all the appropriate settings on the Local
> Area Connection/Authentication Tab) everything works as designed. Based on
> the policy for IAS the client is assigned X VLAN. If the client does not
> authenticate then the client is placed (or better yet kept) in the
> Unauthorized VLAN (segregated from the rest of the network). Now for my
> problem:
>
>
> A large portion of my clients cannot configure their Local Area
> Connection/Authentication Tab setting themselves. I know you have to have
> admin privileges to configure the Local Area Connection/General Tab, however,
> performing tests as a non privileged user has given me mixed results for
> changing the Authentication tab settings. I am pretty sure it’s a Group
> Policy that is causing the issue. The ones that can’t do it see all greyed
> out selections when they go to the Auth tab. WindXP clients work no matter
> what. On WIN2K if I stand up a new workstation and add to domain it goes
> into the default Computers container in AD. I tested numerous times and non
> privileged users can go in to Authentication tab and make changes. Once I
> place into our “production” OU it will then break and it’s greyed out with
> non privileged users. Note that doing this test with XP produces no change.
> I can’t find a setting in the group policy that would be changing this type
> of permissions. What right or permission set does a regular user need to
> administer their authentication settings? I cannot deploy this using the
> Wireless GP template as that works for only WIN2003/XP, and I also cannot
> give users admin privileges, even if it’s just on their own workstations. I
> have looked into a way to deploy via scripting and never found a way to
> accomplish this task that way. Is my only solution to walk around and
> configure manually? I have over 500 clients at this one site, not including
> the other sites. Your help would be greatly appreciated. Thanks!
>
>
| |
| Brian S 2007-02-01, 7:22 pm |
| sure...how do I do that?
"rt-seb" wrote:
[vbcol=seagreen]
> Hello Brian,
>
> I've written a tool that distributes 802.1x settings for LAN adapters.
> This tool can be used for W2k and WinXP. It could be integrated into
> any software distribution management. If you're interested in, you can
> contact me privately: discuss(at)rt-solutions.de
>
> Sebastian
>
>
> "Brian S" wrote:
>
| |
| rt-seb 2007-02-02, 7:25 am |
| What about writing me an e-mail to the address I've already posted?
"Brian S" wrote:
[vbcol=seagreen]
> sure...how do I do that?
>
> "rt-seb" wrote:
>
|
|
|
|
|