802.1X supplicant & server authentication & registry


Guillaume Tamboise


I am trying to deploy wired 802.1X to a large number of (Windows 2000
and Windows XP) client computers, in an AD environment.

So far, what needs to be deployed on those client computers seems to be:

- Start the "Wireless Zero Configuration" (XP) or "Wireless
Configuration" (200) service, achievable through the key "Start" under

- Set the desired SupplicantMode under

- Set the desired AuthMode under

- Grab the 802.3 interfaces from

- Set the EAPOL parameters under
That's where things start to get complicated.
Since I want to use PEAP, computer authentication and the user's domain
credentials, it seems that I need to tweak this registry entry so that
bytes 11 and 12 are "c0" and "19".
There is one thing that seems significantly more complicated: server
I do not want my 802.1X supplicant starting authenticating against any
Radius server just because it is there.
So, I want server authentication, using my CA.
On the GUI, it is fairly easy: under PEAP properties, I check "Validate
server certificate", uncheck "Connect to these servers" and check my CA
in the list of trusted root certification authorities.
In the registry, however, it seems to be involving a lot of bytes in the
and the bytes that need to be changed seem to depend on the list of
known root certification authorities. And on the OS (2000 or XP).

Anybody having already fiddled with such settings?
Or anybody having some documentation on this "magic" key?


Guillaume Tamboise

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question