Adding Support for 802.1x to WinPE

re: Adding Support for 802.1x to WinPE

Patters — Mon, 07 Nov 2011 14:01:09 GMT

I have made a build for Windows PE 3.1 (incorporating dot3svc) with wlansvc and dependencies, including the registry entries to enable netsh.exe's wlan context. While I can get the wlan to work with WPA networks, I can't seem to get it working using WPA2-Enterprise 802.1x, despite following the guide posted above. I think the problem seems to be that the netsh.exe support for this only allows you to bind the XML EAP auth profile to a Local Area Connection and not a Wireless Network one. Is there a way to do this that I maybe can't see, or is it not currently possible? It may seem like a weird ask, but with MacBook Airs becoming more prevalent (no ethernet), it would be nice to unattend their Bootcamp Windows installs without messing about with USB ethernet dongles.

re: Adding Support for 802.1x to WinPE

DanielOxley — Wed, 26 May 2010 14:01:03 GMT

@Jeremias Jansson

This is a scenario that is not contemplated in the published guide. I've never had to work it out so as yet I have no answer for you. However, I can't immediately think of a way that it would be possible.

Daniel

re: Adding Support for 802.1x to WinPE

Jeremias Jansson — Wed, 26 May 2010 08:48:44 GMT

Yes, the real issue is how to PXEboot in a 802.1X environment, any thoughts around that? I guess you had to deal with that in your real world customer cases?

Thank you for a great guide by the way!

re: Adding Support for 802.1x to WinPE

Najam — Wed, 28 Apr 2010 14:06:35 GMT

The real issue with 802.1x environment is getting IP address while booting via network. When you hit F12 and select boot via network, it tries to find IP address, if it couldn't, how it can see my PXE/WDS server?

re: Adding Support for 802.1x to WinPE

qb — Fri, 16 Apr 2010 13:49:40 GMT

For zero touch deployments User/password information can be gathered from collection variables.

re: Adding Support for 802.1x to WinPE

DanielOxley — Mon, 22 Mar 2010 17:28:58 GMT

@Chris,

I am not sure why you are seeing that error when trying to access the document(s). I have just tried from several computers and they all can download the documents fine from the links I placed in the blog post.

Daniel

re: Adding Support for 802.1x to WinPE

Chris Hills — Mon, 22 Mar 2010 15:30:53 GMT

I hope that the xml errors on skydrive gets fixed someday so that I can access it.

XML Parsing Error: not well-formed

Location: http://cid-7be6feba9e7c999c.skydrive.live.com/self.aspx/DeploymentGuys/Windows%207%20Deployment%20Procedures%20in%20802%201X%20Wired%20Networks.pdf

Line Number 120, Column 20:

for (var i = 0; i < selfPageData.items.length; i++)

-------------------^

re: Adding Support for 802.1x to WinPE

David Marín — Thu, 11 Mar 2010 07:03:52 GMT

FoW,

1) The user account that you use for the 802.1X authentication does not have to be able to access any domain resources. If it has to belong to a group or not depends on the Radius configuration. For instance there are places in which depending on the group it belongs to, will be asigned a different VLAN. So you have to check the requirements of that account with the Radius configuration.

2) In WinPE I am afraid that you will never be prompted for the credentials if you do not use the xml file or if you leave the credentials blank in that file. So it is a good idea in Lite Touch Deployments to show an HTA to prompt for credentials and generate the correct xml file or replace the values in an existent one. In Zero Touch Deployments it is not a good idea because you break the automation of Zero Touch.

Good luck with your testing.

Regards,

David Marin

re: Adding Support for 802.1x to WinPE

FearOfWeapons — Thu, 04 Mar 2010 14:27:09 GMT

David/Dan,

intresting post - I am still wading through it and have not yet tested the steps however...

1) I assume that the valid domain account does not actullay need access to any domain resources? Does it need to be a member of any groups? Could it just be removed from the User Group and this would lessen the risk if it were comprimised.

2) I assume that if you leave the password out of the XML file you do not get prompted for the value? In that case could you create, for a lite touch build, an HTA to prompt you for the required values and then create and import the required file?

There are other accounts used by ZTI/SCCM deployments - can one of these be hooked for use, so long as its a domain account of course and the credentials are on the boot media?

cheers,

FoW.

re: Adding Support for 802.1x to WinPE

Andrés Villalobos — Tue, 02 Mar 2010 17:16:44 GMT

Buenas Daniel,

gracias por la aportación, :)

Andrés Villalobos