[wpkg-users] WPKG service + wired 802.1x authentication

[Lukasz Zalewski]

Jason Oster wrote:
> Hi all,
> 
> After a quick search, I've seen mention that the service cannot be used 
> when 802.1x authentication is in use on the network. The only workaround 
> given was setting up the service to run with the task scheduler.
> 
> My problem with this workaround is that some of my packages require a 
> reboot after installing or upgrading. I cannot have our systems 
> rebooting on users while they are in the middle of working on something.
> 
> (On an unrelated note, Windows Update service ignores our group policy 
> which specifies that it must never automatically reboot ... it will 
> reboot anyway after installing some specific updates. Even if a user is 
> logged in and currently working on something. It has happened to me more 
> than once. There is nothing more frustrating!)
> 
> My test network setup uses FreeRadius for the authentication server, and 
> D-Link xStack switches for authenticators. After getting Windows XP SP3 
> to successfully authenticate (using both the built-in Wired Autoconfig 
> service, and the Open1X Xsupplicant and EAP-MD5), I am now only at a 
> loss for getting the authentication to happen totally *unattended* and 
> before login. Preferably, before the WPKG service starts. ;)
> 
> By "unattended" I mean, I want authentication to take place without the 
> need for someone (usually me) to enter the login credentials while the 
> system is being setup by Unattended (http://unattended.sf.net/). 
> Ideally, I would add 802.1x support to my Unattended boot discs, and 
> allow it to *somehow* configure the Windows setup to use whatever 
> username & password I specify for its initial connection.
> 
> I haven't been able to get that much (initial unattended configuration) 
> figured out, either. The solution might require modifying Xsupplicant to 
> run as a service?
> 
> The other problem with this setup is that Windows cannot contact the 
> Active Directory domain controller to get users logged in. (Unless, of 
> course, there is a cached account on the computer already.)
> 
> 
> That's what I'm trying to accomplish. As for why, it's because we 
> currently have no means of protecting our network: anyone can plug in a 
> rogue laptop or WiFi AP, instantly gaining access to all of our network 
> services. Bad, bad, bad. :( With 802.1x, I'm hoping to at least mitigate 
> the problem by making it impossible for any unauthorized devices to gain 
> network connectivity without (at the very least) knowing, or being able 
> to obtain a static username/password.
> 
> If anyone has experience with any of these things (I'm a complete 802.1x 
> n00b, and it just seems overcomplicated, immature, and under-supported. 
> Perhaps there is even something more suitable to my needs? I am open to 
> suggestion.
> 
> Thanks for your time!
> Jay
> 
> -------------------------------------------------------------------------
> wpkg-users mailing list archives >> http://lists.wpkg.org/pipermail/wpkg-users/
> _______________________________________________
> wpkg-users mailing list
> wpkg-users at lists.wpkg.org
> http://lists.wpkg.org/mailman/listinfo/wpkg-users

Jason,
Windows built-in 802.X supplicant allows computer based authentication. 
  We have not used it ourselves, so I might be completely off the chart 
here, but I suspect it would authenticate using certificate and 
credentials of a Domain Computer when the network is available (assuming 
the computer is already joined to the domain).

We have also created small utilities (NSIS Installer based) for 
pre-configuring wireless 802.X settings (eduroam) and wired access using 
Wlan API (I think in XP SP3 and newer have built in cmd line utilities 
). However these utilities are meant for end users (they do not encode 
any usernames and passwords only configure appropriate profiles) but I 
think adding a password is possible - although not advisable for 
security reasons. Is this something that would suit your needs?

Regards

Luk