[wpkg-users] WPKG service + wired 802.1x authentication
Jason Oster
jason.oster at campnavajo.com
Fri Oct 16 19:29:15 CEST 2009
Hi all,
After a quick search, I've seen mention that the service cannot be used
when 802.1x authentication is in use on the network. The only workaround
given was setting up the service to run with the task scheduler.
My problem with this workaround is that some of my packages require a
reboot after installing or upgrading. I cannot have our systems
rebooting on users while they are in the middle of working on something.
(On an unrelated note, Windows Update service ignores our group policy
which specifies that it must never automatically reboot ... it will
reboot anyway after installing some specific updates. Even if a user is
logged in and currently working on something. It has happened to me more
than once. There is nothing more frustrating!)
My test network setup uses FreeRadius for the authentication server, and
D-Link xStack switches for authenticators. After getting Windows XP SP3
to successfully authenticate (using both the built-in Wired Autoconfig
service, and the Open1X Xsupplicant and EAP-MD5), I am now only at a
loss for getting the authentication to happen totally *unattended* and
before login. Preferably, before the WPKG service starts. ;)
By "unattended" I mean, I want authentication to take place without the
need for someone (usually me) to enter the login credentials while the
system is being setup by Unattended (http://unattended.sf.net/).
Ideally, I would add 802.1x support to my Unattended boot discs, and
allow it to *somehow* configure the Windows setup to use whatever
username & password I specify for its initial connection.
I haven't been able to get that much (initial unattended configuration)
figured out, either. The solution might require modifying Xsupplicant to
run as a service?
The other problem with this setup is that Windows cannot contact the
Active Directory domain controller to get users logged in. (Unless, of
course, there is a cached account on the computer already.)
That's what I'm trying to accomplish. As for why, it's because we
currently have no means of protecting our network: anyone can plug in a
rogue laptop or WiFi AP, instantly gaining access to all of our network
services. Bad, bad, bad. :( With 802.1x, I'm hoping to at least mitigate
the problem by making it impossible for any unauthorized devices to gain
network connectivity without (at the very least) knowing, or being able
to obtain a static username/password.
If anyone has experience with any of these things (I'm a complete 802.1x
n00b, and it just seems overcomplicated, immature, and under-supported.
Perhaps there is even something more suitable to my needs? I am open to
suggestion.
Thanks for your time!
Jay
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jason_oster.vcf
Type: text/x-vcard
Size: 304 bytes
Desc: not available
URL: <http://lists.wpkg.org/pipermail/wpkg-users/attachments/20091016/17c0cc76/attachment-0001.vcf>
More information about the wpkg-users
mailing list