Kategoriarkiv: 802.1x

802.1x Windows Native Supplicant

A small post regarding the configuration of the 802.1x native supplicant within Windows.
By default the supplicant is turned off and configuriation requires the service to be started.

Let’s start the service from the command prompt:

cmd /c net start dot3svc

Now that the service is enabled you need to edit the properties of the NIC in the PC.

Authentication tab for the Ethernet adapter on the PC. A few things to be aware of:

You will need to choose the correct method for authentication, in this example we are running PEAP.

The Fallback is normally a very good idea, but it can be a problem if the users are travelling to places where there is no authentication. If this happens and fallback is enabled then windows will not be able to communication on the network. Also if you intent to export this configuration and use it for the SCCM script as descripted in another article, then the fallback is a bad idea if you have third party vendors doing you installation of images.

Configuration wise you need to click on Settings and More settings.

Settings:

In the settings tab there is one important part. That is if the client should validate the server certificate wich is being presented while negotiating the EAP tunnel. Again if you plan to use this for SCCM purpose, this should be deleted as the certificate is present at the time of installation.

More Settings:

In the more settings tab you will have to choose wether you want user or computer validation. This is also where you would enter the credentials if used with SCCM.

When done with the settings, open a command prompt. Here you will be able to utilize the netsh command set from Windows.

If the show output is correct, you may go an export the profile:

The userinput that you wrote in the configuration is not being exported, and if you are using that you will need to create a new XML file and insert the data. See the XML format below here and copy it if needed:

<?xml version="1.0" ?>
  <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials"
    xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon"
    xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
    <EapMethod>
      <eapCommon:Type>25</eapCommon:Type>
      <eapCommon:AuthorId>0</eapCommon:AuthorId>
    </EapMethod>
    <Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1"
      xmlns:MsPeap="http://www.microsoft.com/provisioning/MsPeapUserPropertiesV1"
      xmlns:MsChapV2="http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1">
      <baseEap:Eap>
        <baseEap:Type>25</baseEap:Type>
        <MsPeap:EapType>
          <MsPeap:RoutingIdentity>MyUSERAUTH</MsPeap:RoutingIdentity>
          <baseEap:Eap>
            <baseEap:Type>26</baseEap:Type>
            <MsChapV2:EapType>
              <MsChapV2:Username>MyUSERNAME</MsChapV2:Username>
              <MsChapV2:Password>MyPA$$WORD</MsChapV2:Password>
              <MsChapV2:LogonDomain>MyDomain.local</MsChapV2:LogonDomain>
            </MsChapV2:EapType>
          </baseEap:Eap>
        </MsPeap:EapType>
      </baseEap:Eap>
    </Credentials>
  </EapHostUserCredentials>

Safe the file as EapUserData.xml.

You are now able to make use of the files you have exported and created.

Please see the article about 802.1x enabled Windows Deployment Service where it is also visible how to import these files to a new windows PC.

802.1x with Windows Deployment Service

A common problem with 802.1x enabled networks is to enable the deployment of new workstations. In a Microsoft infrastructure this is done through system center configuration manager and also called Windows Deployment Service.

The overall problem is that a PC is unknown at the time of installation and dont have any supplicant installed / configured. Thereby in a 802.1x enabled network the client would either end up in a guest vlan or be limited by a dACL enforced ingress on the switch interface. This would cause the PC not being able to load the installation image, programs and joing the specific AD domain.

A working solution for Windows Deployment Service in a 802.1x enabled network.

Proccess of the 802.1x authentication:
1. 802.1x EAP messages is being sent to the client for authentication.
2. If 802.1x times-out the switch contienues to MAB authentication.
3. If MAB also fails the authentication server will send a dACL to the switch who then applies in ingress on the client interface. The dACL is specified with the PC ip address as source.

Process of the Windows Deployment Service
1. PC is booting on the network via F12.
2. PC is downloading the initial boot image from SCCM distribution point using tftp.
3. WinPE is starting up the boot image.
4. WinPE is starting downloading the real image from SCCM.
5. Windows Deployment Service now executes the image from the task sequence within it.
6. Windows Deployment Service installs the third party 802.1x supplicant.
7. Installation is complete and validation of the PC is now handled through the third party supplicant.

Since we are dealing with a basic windows operating system starting from point 3 to 6, we are able to execute scripts and enable services within Windows.
However from point 1 to 2 we do have a challenge as we dont have anyway of talking with the PC.
Looking at the process of the 802.1x and if there is no response from the PC and MAB fails, a dACL will be downloaded and applied to the switch port. This is the first place we need to make sure the PC stays able to download the boot image. Therefore make sure the following is added to the dACL:

-remark permitting SCCM Boot Image
-permit udp any any eq tftp
-permit udp any any eq 4011
-permit udp any any range 49152-65535

These 3 permits will keep the PC able to finish the download from SCCM.

Once the download is complete WinPE will start and this is were the tricky part starts. Since we are dealing with a very basic windows operating system we have the possibility to enable built in services. Amongst others the native 802.1x supplicant in Windows called: dot3svc

By enabling the use of the service the PC will start replying to authentication messages from the switch. Also called EAP messages. But before it will reply it needs to be configured. This cannot be done on the fly and therefore this needs to be done on a seperate PC where the XML configuration can be extracted.

In the winPE startup a simple vb script is run where we are importing 2 XML files:
-lanprofile.xml
-userinfo.xml

Run "cmd /c copy """ & ScriptPath & "lanprofile.xml"" ""%SYSTEMDRIVE%\windows\system32\lanprofile.xml"" /Y", 0, True
Run "cmd /c copy """ & ScriptPath & "userinfo.xml"" ""%SYSTEMDRIVE%\windows\system32\userinfo.xml"" /Y", 0, True
Run "cmd /c net start dot3svc", 0, True
Run "cmd /c netsh lan set autoconfig enabled=yes interface=""Ethernet""", 0, True
Run "cmd /c netsh lan add profile filename=""%SYSTEMDRIVE%\windows\system32\lanprofile.xml"" interface=""Ethernet""", 0, True
Run "cmd /c netsh lan set eapuserdata filename = ""%SYSTEMDRIVE%\windows\system32\userinfo.xml"" allusers=yes interface=""Ethernet""", 0, True
Run "cmd /c netsh lan reconnect interface =""Ethernet""", 0, True
Run "cmd /c del ""%SYSTEMDRIVE%\windows\system32\userinfo.xml"" /Q", 0, True

Now the PC will listen but also send a EAP authentication message out to the switch. The switch will then start a new 802.1x authentication process and based on the policy set on the authentication server a new dACL will be downloaded. In our example:

-Remark Permit Any
-permit ip any any

Once WinPE has finished the download of the real image the PC restarts. This causes the link on the switch to go down and re-initialize. This means the a new authentication process will start again and since WinPE is no longer booting but Windows deployment services is, then the first task that Deployment Services should execute is the same script that WinPE did.

After Windows Deployment Services has finnished all the regular installation of programs the last task is to install our third party 802.1x supplicant. In this example we are using Cisco AnyConnect.

Just after the successfull installation of Cisco AnyConnect a reboot is needed. But before executing the reboot a new script needs to be run disabling the native supplicant so when the PC boots up the Cisco AnyConnect will reply to any EAP messages.

Run "cmd /c netsh lan delete profile interface="Ethernet""", 0, True
Run "cmd /c net stop dot3svc", 0, True

You should now be able to see in the log of the Authentication server that the new “known” PC is validated through the configuration you have choosed wether it is certificate, machine or user based.