Adding 802.1x functionality to WinPE has been a hot topic for a while now. And, given the amount of traffic and comments that my earlier post generated when I linked to the newly released updates for WinPE that add this long awaited support, it seems that a lot of people are interested in implementing 802.1x in WinPE.
After a longer than expected delay, I am pleased to finally post the instructions on how to add 802.1x support to an existing WinPE image. Below, you'll find links to our SkyDrive that shares two documents that explains the steps necessary. Both documents are the same, one in English and the other in Spanish - so you don't need both documents.
Serious Kudos goes out to David Marin, a fellow deployment consultant in Microsoft Spain, who fought with this whole process and was able to write the document. I can't take any credit for the work he has done, which is why I have asked him to guest post for me on the blog. Be warned, it is a rather long process and covers some areas that require networking knowledge, as such I recommend you study the whole process first before starting. I'll convince David to participle in any discussions that appear through the comments section of this blog post.
One thing that I would like to make clear though before you download the documents and start implementing them. As with the content of all the posts on the Deployment Guys blog, the procedures described here are currently unsupported by Microsoft. Regarding the documents in this post, they are the result of work completed solely and exclusively by David. Please do not contact Microsoft support for any help whatsoever regarding the content detailed in them, as they will be unable to assist you in any way.
This post was contributed by David Marin, a Consultant with Microsoft Services Spain
gracias por la aportación, :)
intresting post - I am still wading through it and have not yet tested the steps however...
1) I assume that the valid domain account does not actullay need access to any domain resources? Does it need to be a member of any groups? Could it just be removed from the User Group and this would lessen the risk if it were comprimised.
2) I assume that if you leave the password out of the XML file you do not get prompted for the value? In that case could you create, for a lite touch build, an HTA to prompt you for the required values and then create and import the required file?
There are other accounts used by ZTI/SCCM deployments - can one of these be hooked for use, so long as its a domain account of course and the credentials are on the boot media?
1) The user account that you use for the 802.1X authentication does not have to be able to access any domain resources. If it has to belong to a group or not depends on the Radius configuration. For instance there are places in which depending on the group it belongs to, will be asigned a different VLAN. So you have to check the requirements of that account with the Radius configuration.
2) In WinPE I am afraid that you will never be prompted for the credentials if you do not use the xml file or if you leave the credentials blank in that file. So it is a good idea in Lite Touch Deployments to show an HTA to prompt for credentials and generate the correct xml file or replace the values in an existent one. In Zero Touch Deployments it is not a good idea because you break the automation of Zero Touch.
Good luck with your testing.
I hope that the xml errors on skydrive gets fixed someday so that I can access it.
XML Parsing Error: not well-formed
Line Number 120, Column 20:
for (var i = 0; i < selfPageData.items.length; i++)
I am not sure why you are seeing that error when trying to access the document(s). I have just tried from several computers and they all can download the documents fine from the links I placed in the blog post.
For zero touch deployments User/password information can be gathered from collection variables.
The real issue with 802.1x environment is getting IP address while booting via network. When you hit F12 and select boot via network, it tries to find IP address, if it couldn't, how it can see my PXE/WDS server?
Yes, the real issue is how to PXEboot in a 802.1X environment, any thoughts around that? I guess you had to deal with that in your real world customer cases?
Thank you for a great guide by the way!
This is a scenario that is not contemplated in the published guide. I've never had to work it out so as yet I have no answer for you. However, I can't immediately think of a way that it would be possible.
I have made a build for Windows PE 3.1 (incorporating dot3svc) with wlansvc and dependencies, including the registry entries to enable netsh.exe's wlan context. While I can get the wlan to work with WPA networks, I can't seem to get it working using WPA2-Enterprise 802.1x, despite following the guide posted above. I think the problem seems to be that the netsh.exe support for this only allows you to bind the XML EAP auth profile to a Local Area Connection and not a Wireless Network one. Is there a way to do this that I maybe can't see, or is it not currently possible? It may seem like a weird ask, but with MacBook Airs becoming more prevalent (no ethernet), it would be nice to unattend their Bootcamp Windows installs without messing about with USB ethernet dongles.