This question crosses so many boundaries that I just decided to put it in the Server area. We have a 2003 Windows domain with XP clients and Cisco switches. We are testing 802.1x PEAP for all of our wired clients. 802.1x is working great, no problems there. The problems are: 1) How does one migrate 1000+ existing workstations into a 802.1x configuration? 2) How does a new workstation join the domain when it is connected to an 802.1x enabled port?3) Is there any way to use 802.1x on WinXP without enabling the Wireless Configuration Service?For the first one, we are working on some group policy, etc and think it will go okay but any advice would be nice. For 2, as best we can determine, the only way to allow a computer to join the domain is to put issue the dotx1 port-control force-authorized command on the switch and disable 802.1x on that port until the computer is on the domain. The goal would be to use the domain admins credentials to authorize the port and allow the workstation to join the domain without having to change the switch port status. And last, #3, it seems that the only way to get the Authentication Tab to show up on a NICs Properties page is to enable the Wireless Configuration service. Now, this is not really a big deal for normal workstations, as they have no wireless devices in them. However, we have laptops, that are connected via CAT5 and the wireless service is disable to prevent the integrated wireless NIC from working. By enabling this service for the CAT5 connection, we open a new vulnerability by enabling the wireless capabilities of the laptop also. We do use hardware profiles to disable wireless but the service is also disabled as an extra precaution. We dont use any wireless in our environment so disabling at all points is our goal. Again, any advice is much appreciated.Cheers,Aaron

Hi there...In relation to #3, does it really matter if this service is started on a laptop ? You could always disable the NIC and flick the switch to "OFF" which most modern notebooks have ?? I guess if your really paranoid you could easily remove a screw from the bottom of the notebook and remove the Wireless NIC terminals, or just unplug them : ) ) I work for an organization with nearly 500 clients, and we have just implemented NAC or 802.1x using GP to 1 OU in AD. In regards to #2 , I cannot join the domain with a machine patched to a 802.1x port, wouldn't this defeat the purpose ?And as for #1, we used GP and a script which added the certificate to the trusted publishers list. Doing a GPupdate /force on a client added the certificate and then PEAP is selected from the autentication tab, which as you stated is put there by the service.JNHMCDST 2007

could you pls post the script that you use for enabling peap on the client, or send it to gtsaglis@hotmail.com?

I would also like to see the script. I have been searching High and Low to find something that would automate deploying NIC settings to PEAP. You'd think Microsoft would figure out a good solution for all of us out here trying to figure this out. I did find this script but, it hasn't worked for me. I'mlimited on my VB scripting knowledge. I keep getting an error. Dim oWshShell, oWMISvcSet oWshShell = Wscript.CreateObject("Wscript.shell")Set oWMISvc = GetObject("winmgmts:\\.\root\cimv2")Dim arrNicGUID()iGUIDCount=0For Each oNicGUID In oWMISvc.ExecQuery("select * from Win32_NetworkAdapter where AdapterType=" & chr (34) & "Ethernet 802.3" & chr(34))szNicInstanceID = Right(("000" & oNicGUID.DeviceID),4)szNicGUID = oWshShell.RegRead("HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\" & szNicInstanceID & "\NetCfgInstanceId")ReDim preserve arrNicGUID(iGUIDCount)arrNicGUID(iGUIDCount) = szNicGUIDiGUIDCount = iGUIDCount + 1NextDim oFSO,oTFORegszRegFile = "C:\Temp\EAPOL.reg"Set oFSO = CreateObject("Scripting.FileSystemObject")Set oTFOReg = oFSO.OpenTextFile(szRegFile,2,True) oTFOReg.WriteLine("Windows Registry Editor Version 5.00")oTFOReg.WriteBlankLines(1)oTFOReg.WriteLine("[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]")oTFOReg.WriteLine(chr(34) & "SupplicantMode" & chr(34) & "=dword:00000003")oTFOReg.WriteLine(chr(34) & "AuthMode" & chr(34) & "=dword:00000001") For iGUID = LBound(arrNicGUID) To UBound(arrNicGUID)oTFOReg.WriteBlankLines(1)oTFOReg.WriteLine "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces\" & arrNicGUID(iGUID) & "]"oTFOReg.Write chr(34) & "1" & chr(34) & "=hex:" arrEAPOLSet = oWshShell.RegRead ("HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces\" & arrNicGUID(iGUID) & "\1")For iEAPOLByte = LBound(arrEAPOLSet) To 10oTFOReg.write hex(arrEAPOLSet(iEAPOLByte)) &","NextoTFOReg.Write "e0,19" For iEAPOLByte = 13 To UBound(arrEAPOLSet)oTFOReg.write "," & arrEAPOLSet(iEAPOLByte)NextoTFOReg.writeLine()NextoTFOReg.CloseoWshShell.Run"regedit /s " & szRegFile, 1, TRUEWScript.Echo arrNicGUID(i) Thanks in advance for any help. Rob rsperrazza@enfield.org

Aaron,send me the script you are used for 1st stepchinthaka.

JTFGTMO could you please send a copy of the script that will change wired devices to PEAP ... jamdalz@hotmail.com