[wpkg-users] WPKG service + wired 802.1x authentication

[Adam Williams]

Jason Oster wrote:
> Hi all,
>
> After a quick search, I've seen mention that the service cannot be 
> used when 802.1x authentication is in use on the network. The only 
> workaround given was setting up the service to run with the task 
> scheduler.
>
> My problem with this workaround is that some of my packages require a 
> reboot after installing or upgrading. I cannot have our systems 
> rebooting on users while they are in the middle of working on something.
>

use /noreboot flag
> (On an unrelated note, Windows Update service ignores our group policy 
> which specifies that it must never automatically reboot ... it will 
> reboot anyway after installing some specific updates. Even if a user 
> is logged in and currently working on something. It has happened to me 
> more than once. There is nothing more frustrating!)
create a policy file or use gpedit.msc computer config -> admin 
templates -> windows components -> windows update -> no restart with 
logged on users for scheduled automatic updates -> enabled
>
> My test network setup uses FreeRadius for the authentication server, 
> and D-Link xStack switches for authenticators. After getting Windows 
> XP SP3 to successfully authenticate (using both the built-in Wired 
> Autoconfig service, and the Open1X Xsupplicant and EAP-MD5), I am now 
> only at a loss for getting the authentication to happen totally 
> *unattended* and before login. Preferably, before the WPKG service 
> starts. ;)

i dunno, i use openldap + samba, and don't use wireless, it doesn't work 
well with roaming profiles in my experience
>
> By "unattended" I mean, I want authentication to take place without 
> the need for someone (usually me) to enter the login credentials while 
> the system is being setup by Unattended (http://unattended.sf.net/). 
> Ideally, I would add 802.1x support to my Unattended boot discs, and 
> allow it to *somehow* configure the Windows setup to use whatever 
> username & password I specify for its initial connection.
i've never used unattended
>
> I haven't been able to get that much (initial unattended 
> configuration) figured out, either. The solution might require 
> modifying Xsupplicant to run as a service?
>
> The other problem with this setup is that Windows cannot contact the 
> Active Directory domain controller to get users logged in. (Unless, of 
> course, there is a cached account on the computer already.)
>
>
> That's what I'm trying to accomplish. As for why, it's because we 
> currently have no means of protecting our network: anyone can plug in 
> a rogue laptop or WiFi AP, instantly gaining access to all of our 
> network services. Bad, bad, bad. :( With 802.1x, I'm hoping to at 
> least mitigate the problem by making it impossible for any 
> unauthorized devices to gain network connectivity without (at the very 
> least) knowing, or being able to obtain a static username/password.
>
use WPA2 encryption on wireless, protect all network ports, either by 
disabling ones not in use, or w/ cisco switches you can lock down ports 
to only allow traffic from specific MAC addresses.  there is network 
monitoring software that will let you know when new devices are 
connected to your network, i don't know the names off hand, they are 
commercial (non free), but i get emails and see them in advertise in the 
free trade publications (network world, information week, etc)

> If anyone has experience with any of these things (I'm a complete 
> 802.1x n00b, and it just seems overcomplicated, immature, and 
> under-supported. Perhaps there is even something more suitable to my 
> needs? I am open to suggestion.
>
> Thanks for your time!
> Jay
> -------------------------------------------------------------------------
> wpkg-users mailing list archives >> http://lists.wpkg.org/pipermail/wpkg-users/
> _______________________________________________
> wpkg-users mailing list
> wpkg-users at lists.wpkg.org
> http://lists.wpkg.org/mailman/listinfo/wpkg-users
>