Gary
Tue Apr 05 09:19:16 CDT 2005
If funny how these things come about but I two have been working on 802.1x
configuration.
I was frustrated to find no hook into WMI to manage 802.1x also having no
abliity to manage via GPO for wired ethernet connections.
I will share with you where I'm up to hopfully some of it will be useful as
the enabling and disabling seem to be working, I'm just working on the
configuring 1x part now.
My test machine has two network cards.
Microsoft lists the network interfaces at this reg key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces
Because only one of my network cards support 802.1x the key below only lists
one of my interfaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\
REG_SZ_interfacelist
The script is confirgured to read the interfacelist pull out the interface
ID and then edit the 802.1x settings for that interface, the settings seems
to be stored as a binary value here
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces\{interfaceid}\1
The script will then read that data into an array edit that information and
set the infromation back into the registry.
Before you get started go to this location in your registry and take a backup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces
Here is the code beware of any word warps
// SNIP //
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
strValue = ""
Set StdOut = WScript.StdOut
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\EAPOL\Parameters\General"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,"InterfaceList",strValue
If (strValue = "") Then
Call DoInterfaceFailure
Else
Call DoInterfaceSuccess
' Call Debug
End If
Sub DoInterfaceSuccess()
strValue = Replace(strValue, "\DEVICE\", "")
StdOut.WriteLine "strValue= " & strValue
strKeyPath = "SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces\" & strValue
StdOut.WriteLine "strKeyPath= " & strKeyPath
strValueName = "1"
'Define byte's array
Dim bArray
'Fill array with values of the key;
'array elemnts starts from 0 an up,
'so I need to change bArray(2) element's value
oReg.GetBinaryValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,bArray
'For Debug loop the output of the array
'LineNum=0
For i = lBound(bArray) to uBound(bArray)
' Output the Array in Hex
' Wscript.Echo LineNum & "=" & Hex(bArray(i))
' Output the Array in Dec
Wscript.Echo LineNum & "=" & bArray(i)
LineNum=LineNum+1
Next
'Changing the data in the array
'11 byte = Hex(40) = Dec(64) = 802.1x Disabled
' = Hex(80) = Dec(128) = 802.1x Enabled
' = Hex(c0) = Dec(192) = 802.1x Enabled With Authenticate as Computer
' = Hex(e0) = Dec(224) = 802.1x Enabled With Authenticate as Computer &
Authenticate as Guest
bArray(11) = 192
'12 byte = Hex(04) = Dec(4) = MD5-Challenge
' = Hex(19) = Dec(25) = Protected EAP (PEAP)
' = Hex(0D) = Dec(13) = Smart Card or other Certificate
'bArray(12) = 25
'124 byte = Hex(00) = Dec(0) = Disable Fast Reconnect
' = Hex(01) = Dec(1) = Enable Fast Reconnect
'bArray(124) = 0
'136 byte = Hex(17) = Dec(23) = PEAP Properties Disable Validate Server
Certificate
' = Hex(15) = Dec(21) = PEAP Properties Enable Validate Server
Certificate Disable Connect to there servers
' = Hex(11) = Dec(17) = PEAP Properties Enable Validate Server
Certificate Enable Connect to there servers
'bArray(136) = 23
'154 byte = Hex(0d) = Dec(13) = Smart Card Authentication Method
' = Hex(1a) = Dec(26) = Secured Password (EAP-MSCHAP v2)
'bArray(154) = 26
'For Debug loop the output of the array after changing
LineNum=0
For i = lBound(bArray) to uBound(bArray)
' Output the Array in Hex
' Wscript.Echo LineNum & "=" & Hex(bArray(i))
' Output the Array in Dec
Wscript.Echo LineNum & "=" & bArray(i)
LineNum=LineNum+1
Next
'Write infromation back
' Debug Registry Key
'oReg.SetBinaryValue HKEY_LOCAL_MACHINE, "Software", "BinaryTest2", bArray
'Live Registry Key
oReg.SetBinaryValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, bArray
End Sub
Sub Debug()
StdOut.WriteLine strValue
End Sub
Sub DoInterfaceFailure()
StdOut.WriteLine "No Interface Found"
End Sub
Sub DoInterfaceFailure()
StdOut.WriteLine "No Interface Found"
End Sub
Set oReg = Nothing
// SNIP
Check this key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\interfacelist
If this has more then one device the script won't work, if someone is
willing to rewrite this part of the code to pull each deviceid back into a
Array I would apprecate it.
Read it though its not going to change the data unless the uncomment the
bArray(x) = DEC lines but configuring bytes 11 & 12 seem to work well
Hope its of some use
Best Regards
Gary
"T S" wrote:
> Hi Ato,
>
> Thank you very much for your valuable suggestion. Regarding our
> organiazation - unfortunately they dont have any standardized solution for
> the network cards. The problem gets complicated by the fact that we not only
> have to enable / disable 802.1x on wireless cards, but also on normal
> Ethernet cards. I was really kinda hopping that someone out there might
> suggest some WMI based solution for that. It seems like Microsoft has not
> provided this option in WMI, how annoying! So the only possibility they have
> offered is to use the GUI based tool to enable or disable 802.1x on the
> network cards.
>
> So if you know something in this regard, I'll really be very grateful.
>
> Best regards,
> TS
>
> "Ato Bisda" <atobisda@gmail.com> schrieb im Newsbeitrag
> news:OuM8aKTOFHA.3444@tk2msftngp13.phx.gbl...
> > Hello T S,
> >
> > I've been able to see network card configuration settings in the following
> > registry key:
> >
> >
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11C
> > E-BFC1-08002BE10318}
> >
> > Each network card in your machine will have a 4-digit number subkey under
> > the above key. You have to cycle through each subkey and look for your
> > wireless card searching for the string "wireless" in the registry value
> > "DriverDesc". NOTE that if there were multiple wireless cards installed,
> > each card would have its own subkey so you will need to cycle through all
> > the subkeys. (BTW, this subkey list contains other stuff besides NIC card
> > drivers like miniports, parallel ports, virtual network drivers, etc).
> >
> > Now comes the hard part. NIC vendors do not seem to follow a standard in
> > terms of naming/encoding their config settings. In my notebook, I have a
> > Linksys 802.11G adapter and I have a registry value called "WEPEnabled".
> > Setting this value to "0" should disable WEP authentication.
> >
> > NOTE that your wireless NIC card might be using a different name for the
> > WEP-setting registry value.
> >
> > Hopefully, your organization has standardized on a wireless card vendor so
> > your wireless card setting values will be named consistently.
> >
> > "T S" <shafi@sit.fhg.de> wrote in message news:425158fa$1@news.fhg.de...
> > > Hi everyone,
> > >
> > > I have been searching the answer to my question for a very long time
> now,
> > > but there is no solution in sight. So here is my problem:
> > >
> > > I want to enable / disable 802.1x Authentication on network adaptors
> using
> > > some sort of automation (some script / program). Does anyone out there
> > knows
> > > a solution for that?
> > >
> > > I'll highly appreciate any helpful suggestions or pointers. Thanks in
> > > Advance.
> > >
> > > T. Shafi
> > >
> > >
> >
> >
>
>
>