Header Only - DO NOT REMOVE - Extreme Networks

Deploying 802.1X on PCs via Group Policy


I realize this is outside the scope of Extreme's product line, but we're currently looking at how to roll out 802.1X configuration to our Windows PCs in the environment. Enabling the Wired AutoConfig service is the easy part, but configuring the authentication parameters on the PCs NICs is proving to be a bit more challenging. We've been evaluating using a PowerShell script delivered via Group Policy alongside GPO rules.

How have your organizations managed this roll out when deploying Access Control and Policy?

9 replies

Userlevel 1
We do 802.1x on wired PCs and control wired NIC settings through Group Policy. Below is a sample copy of our Group Policy settings. Not sure if that is what you were looking for or if you were looking for additional parameters and settings. I didn't see a way I could add an attachment to this post so you will need to copy and paste all syntax below to notepad, save it as an htm file extension and you can view it within a browser.




802.1x - Wired












[b]



Group Policy Management


body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; }

.head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; }

.path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; }

.info { padding-left:10px;width:100%; }

table { font-size:100%;
Userlevel 7
Darin Seiler wrote:

We do 802.1x on wired PCs and control wired NIC settings through Group Policy. Below is a sample copy of our Group Policy settings. Not sure if that is what you were looking for or if you were looking for additional parameters and settings. I didn't see a way I could add an attachment to this post so you will need to copy and paste all syntax below to notepad, save it as an htm file extension and you can view it within a browser.




802.1x - Wired












[b]



Group Policy Management


body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; }

.head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; }

.path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; }

.info { padding-left:10px;width:100%; }

table { font-size:100%;

Your post was flagged as spam 🙂
I just approved it. Thanks for sharing!
Darin Seiler wrote:

We do 802.1x on wired PCs and control wired NIC settings through Group Policy. Below is a sample copy of our Group Policy settings. Not sure if that is what you were looking for or if you were looking for additional parameters and settings. I didn't see a way I could add an attachment to this post so you will need to copy and paste all syntax below to notepad, save it as an htm file extension and you can view it within a browser.




802.1x - Wired












[b]



Group Policy Management


body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; }

.head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; }

.path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; }

.info { padding-left:10px;width:100%; }

table { font-size:100%;

Darin,

I noticed there's no configuration for using PEAP vs. EAP, or unchecking the "Verify the server's identity by validating the certificate option" (see image)



How do you manage these settings within your GPO?
Userlevel 2
Darin Seiler wrote:

We do 802.1x on wired PCs and control wired NIC settings through Group Policy. Below is a sample copy of our Group Policy settings. Not sure if that is what you were looking for or if you were looking for additional parameters and settings. I didn't see a way I could add an attachment to this post so you will need to copy and paste all syntax below to notepad, save it as an htm file extension and you can view it within a browser.




802.1x - Wired












[b]



Group Policy Management


body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; }

.head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; }

.path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; }

.info { padding-left:10px;width:100%; }

table { font-size:100%;

Usually I deploy the GPO, certificate box unchecked, user or computer authentication and start the wired auto config service. I don't use a powershell script for it.
Darin Seiler wrote:

We do 802.1x on wired PCs and control wired NIC settings through Group Policy. Below is a sample copy of our Group Policy settings. Not sure if that is what you were looking for or if you were looking for additional parameters and settings. I didn't see a way I could add an attachment to this post so you will need to copy and paste all syntax below to notepad, save it as an htm file extension and you can view it within a browser.




802.1x - Wired












[b]



Group Policy Management


body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; }

.head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; }

.path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; }

.info { padding-left:10px;width:100%; }

table { font-size:100%;

Brian,

How are you accomplishing those four tasks?
Userlevel 2
Darin Seiler wrote:

We do 802.1x on wired PCs and control wired NIC settings through Group Policy. Below is a sample copy of our Group Policy settings. Not sure if that is what you were looking for or if you were looking for additional parameters and settings. I didn't see a way I could add an attachment to this post so you will need to copy and paste all syntax below to notepad, save it as an htm file extension and you can view it within a browser.




802.1x - Wired












[b]



Group Policy Management


body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; }

.head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; }

.path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; }

.info { padding-left:10px;width:100%; }

table { font-size:100%;

You can use this site as an example: https://www.raydbg.com/2017/How-to-Configure-Wired-Authentication-Settings-via-GPO/ Just set to PEAP rather than smart card. Disregard non-domain devices.
Userlevel 1
Darin Seiler wrote:

We do 802.1x on wired PCs and control wired NIC settings through Group Policy. Below is a sample copy of our Group Policy settings. Not sure if that is what you were looking for or if you were looking for additional parameters and settings. I didn't see a way I could add an attachment to this post so you will need to copy and paste all syntax below to notepad, save it as an htm file extension and you can view it within a browser.




802.1x - Wired












[b]



Group Policy Management


body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; }

.head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; }

.path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; }

.info { padding-left:10px;width:100%; }

table { font-size:100%;

The group policy I shared uses Microsoft: Smart Card or other certificate for the network authentication method. Within the settings for that we select to use a certificate on this computer (our internal Microsoft PKI issues a user and computer certificate to the Windows domain joined devices). Non domain joined devices we don't use 802.1x and just use MAC auth. Within the Advanced settings, we specify the auth mode as User or computer authentication. All very similar to the guides Brian provided above. I have a custom Word document I could share with you on our NIC configurations as well as 802.1x troubleshooting guide that we created to help our desktop techs if needed that match the GPO above.
Darin Seiler wrote:

We do 802.1x on wired PCs and control wired NIC settings through Group Policy. Below is a sample copy of our Group Policy settings. Not sure if that is what you were looking for or if you were looking for additional parameters and settings. I didn't see a way I could add an attachment to this post so you will need to copy and paste all syntax below to notepad, save it as an htm file extension and you can view it within a browser.




802.1x - Wired












[b]



Group Policy Management


body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; }

.head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; }

.path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; }

.info { padding-left:10px;width:100%; }

table { font-size:100%;

Brian and Darin,

Thanks for the input! I'll forward this to my server team and see if this gets them to where they need to be.
Hi All,

We were able to craft this GPO based off of the information here: https://technet.microsoft.com/en-us/library/2008.02.cableguy.aspx.

Reply