How to deploy XP SP3 in an existing wired 802.1x environment

How to deploy XP SP3 in an existing wired 802.1x environment

  • Comments 6
  • Likes

Prior to SP3, the 802.1x service for XP is the Wireless Zero Configuration Service.  This service handles the 802.1x needs for both wired and wireless connections.  This has been problematic since not everyone uses wired 802.1x.  Also, because the wired 802.1x engine listens passively for EAP Identity traffic, we are not fully compliant with the IEEE spec, which state the client should initiate authentication by sending an EAPOL-Start frame.

With SP3, we have separated the wireless service from the wired service and created a new Dot3Svc (Wired AutoConfig).  This service is set as a manual start as opposed to being automatic.  The default behavior of the Dot3Svc is now compliant with the IEEE specification.

In most environments, this is not a problem since most folks are not using 802.1x on their wired networks.  However, if the network has 802.1x deployed, having the service set to manual creates the unfortunate side effect of preventing the client from connecting back to the network after the required reboot has occurred. 

One of the suggested workarounds was to set the service type to Automatic in a GPO and push this out to all the clients prior to deploying SP3, but unfortunately you cannot do this.  Because Dot3Svc is a new service and does not exist on systems prior to SP3, XP cannot consume the necessary settings from a GPO and apply them after the service has been installed.

So to address this issue, you need to take the following steps:

Step 1: Pre-deployment

1.  Create a file called dot3svc_start.reg and put it in \\<domainname>\sysvol\<domainname>\scripts\

a. Add the following to the file

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dot3svc]

“Start”=dword:00000002

2. Create a file called dot3svc.bat and put it in \\<domainname>\sysvol\<domainname>\scripts\

a. Add the following to the file

regedit /s \\<domainname>\sysvol\<domainname>\scripts\dot3svc_start.reg

3. Using a GPO, add dot3svc.bat to the Shutdown scripts object.

4. In the same GPO, set the dot3svc to Automatic

Step 2: Deployment

1. Confirm the clients process the shutdown script.  All that needs to be done is to confirm the Dot3svc registry key exists after a reboot.

2. Deploy SP3 using normal procedures. 

Step 3: Post Deployment

1. After you have confirmed SP3 installs correctly and the dot3svc service starts, remove the scripts/GPO.

For more information on the Dot3Svc, see http://support.microsoft.com/kb/949984

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • PingBack from http://www.ditii.com/2008/05/23/deploy-xp-sp3-in-an-existing-wired-802.1x-environment/

  • Hello

    Is that this procedure works with the authentication "computer only" ?

    Thank you

  • Is there a Microsoft supported "Computer Only" 802.1x authentication solution for a mass rollout of SP3?

  • Is there a way to automate pro porcess of deploymnet of dot.1x with MACHINE authentication. I found that this is no longer stored into the registry and you have to use NETSH to export, modify and import the profile (http://support.microsoft.com/kb/929847). If you have to mass deploy dot.1x on several tousands PCs, then ... you'll need a tool for automate the process.

  • you could simply update one XP client to sp3, install GPMC Load GPMC for your domain and then start the service. Worked for me!!

  • I hope she does not tire me more problems, but thank you anyway for your information