Separate AuthMode and SupplicantMode settings for wired and wireless

A

Andrew

Anyone know if there is a way to specify separate AuthMode and
SupplicantMode values (in
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMo
de) for wired and wireless networks?

We're running 802.1x on both wired and wireless, but on the wireless side we
just want to do computer authentication and on the wired side we want to do
both computer and user authentication. It looks like I'm out of luck
because there's only one place to set the AuthMode setting and both
connections use it.

This is confusing though:

<quote from
http://www.microsoft.com/technet/itsolutions/network/wifi/wififaq.mspx?pf=true >
Q.What is the purpose of the SupplicantMode registry value?

A.The SupplicantMode registry value
(HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters
\General\Global\SupplicantMode) affects the behavior of an 802.1X supplicant
when sending EAP over LAN (EAPOL)-Start packets during 802.1X
authentication. The SupplicantMode value can be set to the following:
..0 - Disable IEEE 802.1X operation.
..1 - Never send an EAPOL-Start packet.
..2 - Automatically determine when to initiate the transmission of
EAPOL-Start packets. This is the default value for wired connections.
..3 - Send an EAPOL-Start message upon association to initiate the 802.1X
authentication process, for compliance with the IEEE 802.1X specification.
This is the default value for wireless connections.
</quote>

Notice how it says a setting of 2 is for wired connections is the default
and a setting of 3 is for wireless. ow can it have two different defaults if
it only allows you one place to set it for ALL connections?! I must be
missing something here...

-Andrew
 
D

Diamontina Cocktail

Andrew said:
Anyone know if there is a way to specify separate AuthMode and
Click to expand...

Not answering your question directly but possibly giving you something else
to think about:

From time to time I have to bring a stuffed tower home from work and fix it.
I have a wi-fi/wired modem/router and most of the computers I bring home
don't have wi-fi inside them but DO have a wired NIC available. So, when I
fix the machine, I plug it in, wired, to the router to get through without
having to authorise at all (because that is the way I want it). However, on
those occasions that I bring a laptop or tower home that has wi-fi in it,
when it is running again, it will NOT connect to my modem/router because I
use MAC filtering or, in my modem/router's terms "Access List" which is the
same thing. MAC filtering isn't 100% foolproof to someone wanting to get
into your system who knows how to but to the majority of people it is. Yes,
I *HAVE* brought a wi-fi enabled computer home before, fixed it and entered
the pass phrase into it and expected it to get on and wondered what the heck
was going on when it didn't, for a minute. :)

Maybe you can get around your problem using MAC filtering?
 
A

Andrew

Diamontina Cocktail said:
Not answering your question directly but possibly giving you something else
to think about:

From time to time I have to bring a stuffed tower home from work and fix it.
I have a wi-fi/wired modem/router and most of the computers I bring home
don't have wi-fi inside them but DO have a wired NIC available. So, when I
fix the machine, I plug it in, wired, to the router to get through without
having to authorise at all (because that is the way I want it). However, on
those occasions that I bring a laptop or tower home that has wi-fi in it,
when it is running again, it will NOT connect to my modem/router because I
use MAC filtering or, in my modem/router's terms "Access List" which is the
same thing. MAC filtering isn't 100% foolproof to someone wanting to get
into your system who knows how to but to the majority of people it is. Yes,
I *HAVE* brought a wi-fi enabled computer home before, fixed it and entered
the pass phrase into it and expected it to get on and wondered what the heck
was going on when it didn't, for a minute. :)

Maybe you can get around your problem using MAC filtering?
Click to expand...

Thanks for your reply, Diamontina. Actually your suggested solution is the
one we're using for non-802.1x clients (printers, etc.). Unfortunately,
because we have so many clients (we have thousands of machines), doing MAC
filtering would require too much work to manage (I'm lazy :). In addition,
we also have to put the 802.1x clients into their own dynamic VLAN depending
on their userID for additional security measures, which as far as I know can
only be done with 802.1x.

I was looking around in the registry today and was wondering if the AuthMode
and SupplicantMode DWORDs could be set somewhere in
HKLM/Software/Microsoft/EAPOL/Parameters/Interfaces for each interface (the
default is HKLM/Software/Microsoft/EAPOL/Parameters/General/Global).
 
D

Diamontina Cocktail

Andrew said:
I was looking around in the registry today and was wondering if the
AuthMode
and SupplicantMode DWORDs could be set somewhere in
HKLM/Software/Microsoft/EAPOL/Parameters/Interfaces for each interface
(the
default is HKLM/Software/Microsoft/EAPOL/Parameters/General/Global).
Click to expand...

I am admittedly NOT fabulous with editing policy etc but you MIGHT try the
newsgroup microsoft.public.windows.group_policy who MAY know enough to help.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Please help-----Enabling 802.1x in win xp for wired LAN 1
802.1X supplicant & server authentication & registry 1
Configuring 802.1X Authentication 1
8021x AuthMode=2 PEAP 1
802.1X, Windows supplicant & Microsoft IAS 1
Two Network Connections - One Wired One Wireless 3
Repeated EAPoL-start packet sending after 802.1X authentication success 1
Isolating wired and wireless clients 3

Top