802.1x Windows Native Supplicant

A small post regarding the configuration of the 802.1x native supplicant within Windows.
By default the supplicant is turned off and configuriation requires the service to be started.

Let’s start the service from the command prompt:

cmd /c net start dot3svc

Now that the service is enabled you need to edit the properties of the NIC in the PC.

Authentication tab for the Ethernet adapter on the PC. A few things to be aware of:

You will need to choose the correct method for authentication, in this example we are running PEAP.

The Fallback is normally a very good idea, but it can be a problem if the users are travelling to places where there is no authentication. If this happens and fallback is enabled then windows will not be able to communication on the network. Also if you intent to export this configuration and use it for the SCCM script as descripted in another article, then the fallback is a bad idea if you have third party vendors doing you installation of images.

Configuration wise you need to click on Settings and More settings.

Settings:

In the settings tab there is one important part. That is if the client should validate the server certificate wich is being presented while negotiating the EAP tunnel. Again if you plan to use this for SCCM purpose, this should be deleted as the certificate is present at the time of installation.

More Settings:

In the more settings tab you will have to choose wether you want user or computer validation. This is also where you would enter the credentials if used with SCCM.

When done with the settings, open a command prompt. Here you will be able to utilize the netsh command set from Windows.

If the show output is correct, you may go an export the profile:

The userinput that you wrote in the configuration is not being exported, and if you are using that you will need to create a new XML file and insert the data. See the XML format below here and copy it if needed:

<?xml version="1.0" ?>
  <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials"
    xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon"
    xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
    <EapMethod>
      <eapCommon:Type>25</eapCommon:Type>
      <eapCommon:AuthorId>0</eapCommon:AuthorId>
    </EapMethod>
    <Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1"
      xmlns:MsPeap="http://www.microsoft.com/provisioning/MsPeapUserPropertiesV1"
      xmlns:MsChapV2="http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1">
      <baseEap:Eap>
        <baseEap:Type>25</baseEap:Type>
        <MsPeap:EapType>
          <MsPeap:RoutingIdentity>MyUSERAUTH</MsPeap:RoutingIdentity>
          <baseEap:Eap>
            <baseEap:Type>26</baseEap:Type>
            <MsChapV2:EapType>
              <MsChapV2:Username>MyUSERNAME</MsChapV2:Username>
              <MsChapV2:Password>MyPA$$WORD</MsChapV2:Password>
              <MsChapV2:LogonDomain>MyDomain.local</MsChapV2:LogonDomain>
            </MsChapV2:EapType>
          </baseEap:Eap>
        </MsPeap:EapType>
      </baseEap:Eap>
    </Credentials>
  </EapHostUserCredentials>

Safe the file as EapUserData.xml.

You are now able to make use of the files you have exported and created.

Please see the article about 802.1x enabled Windows Deployment Service where it is also visible how to import these files to a new windows PC.