SCCM 2012 - 802.1x authentication for zero touch installation
Hi guys,
I'm setting up a demo environment for sccm 2012. Our customer has the requirement to enforce 802.1x authentication (username & password without certificates) on the network. So I need a 802.1x integration into the WinPE image, that clients can access
the install vlan instead of the guest vlan during the zero touch Windows 7 OS install process.
What I did before:
- mount the SCCM modified WinPE image (boot.XXX99999.wim)
- integration of the KB972831 hotfix into the WinPE
- creation of a lan profile and eap profile file
- copy both files into the mounted image
- creation of new wim file
I've booted the boot wim via a usb stick to test the 802.1x integration with the following commands:
net start dot3svc
=> The Wired AutoConfig service was started successfully
netsh lan add profile filename="X:\8021x\Local Area Connection.xml " interface="Local Area Connection"
=> The profile was added successfully on the interface Local Area connection
netsh lan set eapuserdata filename=x:\8021x\Wired-WinPE-UserData-PEAP-MSChapv2.xml allusers=yes interface="Local Area Connection"
=> Error setting user data for interface Local Area Connection. The operation is not supported.
Actually I can't post web links here. If the files are needed I can send them per mail.
What can I do to solve this problem?
Thanks!
Regards
Bastian
Hi!
Did you gave a look at this website: http://myitforum.com/cs2/blogs/lakey81/archive/2011/07/06/configuring-802-1x-network-authentication-for-winpe-3-0-and-configmgr-deployments.aspx
I've followed those steps and it worked as a charm, even for WinPE 4.0.
If you have questions let me know.
Cheers.
Similar Messages
-
Hi,
We planning to go one level higher to automat and have more dynamic Software Update Management for Windows Servers. We have SCCM 2012 R2, SCOM 2012 R2 and SCO 2012 R2.
Our plan is to pur server in an AD-Group to get Update Schedule, from the servers will be importet to an Collection for Automatic Update and reboot. If I understand Everything right SCOM can't read AD-Group and put then in an Schedule maintenance mode. SCOM
can read reg value as exempel.
IS there any smar way to make the SCOM Maintenance Mode Schedule dynamic?
I found this
http://www.scom2k7.com/scom-2012-maintenance-mode-scheduler/?
/SaiTechYou could use Orchestrator to put the servers from a specific collection, or AD group, in maintenance mode in SCOM. For an example see:
http://www.systemcentercentral.com/orchestrator-how-to-scom-maintenance-mode-for-windows-computers-in-an-sccm-collection/
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude -
SCCM 2012 NO SP - Reporting for application deployments not up to date
Hello,
We have a problem when deploying applications with our SCCM 2012 NO SP.
The reports for the application deployments and sup deployment are not up to date.
The applications have been deployed on the clients but the information is not in sccm servers.
The reporting for the package deployment are working correctly.
Do you have an idea ?
ThanksHi,
How are things going? Please let us know if there is any progress.
Regards.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
802.1x Authentication for University Network Fails After 10.5.5 Update
Hi everyone, I hope that someone might be able to help me with my problem. I used to connect to the internet through my university's network at my dorm using the ethernet connection. Even before when I was using 10.5.4 I had to do the 802.1x authentication manually after every boot.
Now that I updated to 10.5.5 everytime I try to connect it tells me "802.1x Authentication has failed", does anyone have similar problems, solutions??? This is everything the IT department's homepage has to offer: http://www.unibz.it/ict/8021x_mac1/index.html?LanguageID=EN&
Thanks a lot!
Btw, it seems the update somehow messed up Timemachine as well, but that doesn't bother me as much as the internet connection.Hi,
You probably need to install a root certificate into your Mac's system keychain so that your Mac knows it can trust the University's Certificate Authority (CA).
They should be able to provide you with a file for the CA and instructions.
cheers -
802.1x authentication for win XP2 client
HI,
I am using Aironet 1200 AP, ACS 3.3 with 802.1x authentication, when I am enabling win XP utility insted of Cisco ACU it's wait for certificate credentials.
I installed CA authority in windows 2000 server. But i am unable to accessing wireless network with 802.1x authentications
Please help on this required configuration of CA role in server side and Client side.Hi,
You probably need to install a root certificate into your Mac's system keychain so that your Mac knows it can trust the University's Certificate Authority (CA).
They should be able to provide you with a file for the CA and instructions.
cheers -
SCCM 2012 Compliance 7 Customize for Total Updates Needed
I can't find single report in SCCM 2012 that lists the total count of updates needed for each computer. This really irks me and many others as this and similar info was readily available with the old WSUS console. It also takes a lot more
clicks to get the same info in SCCM (if SCCM even has it) as it did in WSUS. Anyway, I've decided to try to customize an existing report. I made a copy of "Compliance 7 - Computers in a specific compliance state for an update group (secondary)".
Try as I might, I can't get the query to work right to create a field for number of updates required for each computer. I'd really like columns for Failed/Needed/Applied but I'll start with just Needed. Why they got rid of this in SCCM reporting baffles me.
I have several SQL queries that pull this info for needed patches when run in Management Studio but I can't get them to work in a SCCM Report. Does anyone know how to do this?
Ben JohnsonWYI'm looking at Compliance 1, 5, and 7. The closest to what I want is Compliance 7 but with a new column for "Required Updates". I have that column made but it's not populated. I have a "Required Updates" Dataset now inside this custom
report. BUT the row of info in the table (computer name, last logon, etc) only lets you select fields from Dataset0. Where I'm stuck is how get to the "Required_Updates" field from the "Required Updates" dataset to appear in Dataset0.
I've spent a big chunk of time trying to get the code from the two queries merged but I can't get it to work. The other option is to somehow get the field to appear in the row's field selection list (ie, read field from both datasets).
Oh, and when I followed your steps above, I got the report created but it throws and "error during processing" error when I run it.
Ben JohnsonWY -
SCCM 2012 SP1 and SCEP for Mac
Hello all,
We have SCCM 2012 SP1 with SECP installed and working well for Windows clients.
A request came to me that we have the roughly 10ct Mac computers protected by EndPoint and reporting through SCCM.
Is this possible with what I have now?
Please let me know if you have any clues for me.
Many thanks!Hi,
There is no way to push the SCCM MAC Client to a MAC Computer, you have to install it manually, threre are scripts available on blogs that can assits but still you have to run those scripts manually as well.
The System Center Endpoint Protection client for MAC is indeed a separate download on the volume licensing site, it is not managed through SCCM it is a standalone antivirus software which download it's defenition files directly from the internet. So there
is now way to manage it centrally.
I hope that answered your questions.
Regards,
Jörgen
-- My System Center blog ccmexec.com -- Twitter
@ccmexec -
SCCM 2012 "hardware inventory classes" for AppV?
Hi, I would like to get a better view what App-V application issue we have on App-V 4.6.2 in an usercentric deployment senrio
I also see that SCCM 2012 "hardware inventory classes" "Appv Client Applications" is not set and not all is activated under "Virtual Applications".
I also would like to our support to get an better view if an user call an say it dont get an App-V 4.62 required deployment.
So what "hardware inventory classes" do I need to activate to get App-V deployment /and launch status.
/SaiTechAre you saying the class exists in SCCM 2012 for you but not applied to all of your virtual applications or that there and can't be applied or that the option isn't in SCCM for you at all?
PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog:
rorymon.com Twitter: @Rorymon -
What does SCCM 2012 use its ComputerAccount$ for?
After a fresh install of SCCM 2012 SP1. Single server single site with a local SQL 2012 install.
(this is my first time setting this up 2012 and i was trying to do it textbook)
I started getting Alerts on my domain controllers.
No i have not done a client push yet but i have set up discovery.
Here is the error.
EVENT LOG
Security
EVENT TYPE
Audit Failure
SOURCE
Microsoft-Windows-Security-Auditing
CATEGORY
File Share
EVENT ID
5140
COMPUTERNAME
DC04
DATE / TIME
3/02/2014 9:52:13 am
MESSAGE
A network share object was accessed. Subject: Security ID: DOMAIN\SCCM$ Account Name: SCCM$ Account Domain: DOMAIN Logon ID: Network Information: Object
Type: File Source Address: My Sccm Server IP Source Port: 52442 Share Information: Share Name:
\\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory)
Got these on my 3 DC's around the same time, Since these are DC's do i have to grant the computer account domain admin access?All services in ConfigMgr run as the local System account of the server that they are on. The local System account in turn uses the computer's AD account to access any network resources. There are multiple processes within ConfigMgr that try to access
remote resources. Based on the message you have above, I would say this is coming from automatic (or manual) client push as this attempts to connect to the admin$ share.
Jason | http://blog.configmgrftw.com -
Cisco ISE 1.3 using 802.1x Authentication for wireless clients
Hi,
I have stumbled into a strange issue trying to authenticate a user over wireless. I am using PEAP as the authentication protocol. I have configured my authentication and authorization policy but when I come to authenticate the authorization policy selected is the default which denies access.
I have used the 802.1x compound conditions for matching the machine authentication and then the user authentication
MACHINE AUTHENTICATION
match
framed
Wireless
AD group (machine)
USER AUTHENTICATION
match
framed
Wireless
AD group (USER)
was authenticated = true
Below are steps taken to authenticate any ideas would be great.
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15006 Matched Default Rule
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence
15013 Selected Identity Source - AD1
24430 Authenticating user against Active Directory
24325 Resolving identity
24313 Search for matching accounts at join point
24315 Single matching account found in domain
24323 Identity resolution detected single matching account
24343 RPC Logon request succeeded
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
24423 ISE has not been able to confirm previous successful machine authentication
15036 Evaluating Authorization Policy
15048 Queried PIP
15048 Queried PIP
24432 Looking up user in Active Directory - xxx\zzz Support
24355 LDAP fetch succeeded
24416 User's Groups retrieval from Active Directory succeeded
15048 Queried PIP
15048 Queried PIP
15004 Matched rule - Default
15016 Selected Authorization Profile - DenyAccess
15039 Rejected per authorization profile
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
11003 Returned RADIUS Access-Reject
5434 Endpoint conducted several failed authentications of the same scenario24423 ISE has not been able to confirm previous successful machine authentication
Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
log off and on or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. -
SCCM 2012: application catalog asks for credentials
Hi,
Our application catalog was working fine for weeks. Now suddenly it asks for credentials, the sccm-server is added to trusted sites.
Please advise.
J.
Jan HoedtDisable it in client settings. Run a machine policy retrieval on an effected device. Confirm the policy run has complete in the policyevaluator.log. Check IE and confirm it's not trusted. Re-enable the setting and re-run process. Check it works or not.
Also ensure that nothing in GPO is overwriting what you have set in client settings.
Cheers
Paul | sccmentor.wordpress.com -
802.1x authentication for LAN base hosts
How can I get Cisco Secure Services Client (SSC) ?
What is the product code for the software and is it free or do we need a licence?
Could you please send me If you happen to have information on how it works and known design issues with the SSC.
Cheers,
Pubudu.Cisco Secure Services Version 5.1 Product Data Sheet
https://www.cisco.com/en/US/prod/collateral/wireless/ps6442/ps7034/product_data_sheet0900aecd805081a7.html -
SCCM 2012 with SCM - support for non-Windows?
Hello all,
As part of compliance configuration, i came across the Microsoft's Security Compliance Manager 3.0 (latest version) mainly for compliance and remediation. But after going through their docs, I feel SCM is used only on Windows OS (clients or servers).
a] Does SCM support contact with non-Microsoft vendors to import security baselines?
b] Does SCM support audit, compliance and remediation on non-windows OS devices? (clients/servers)
Any help is greatly appreciated.
thanksThis is the wrong forum to ask Security Compliance Manager based questions, it doesn't have any straight relationship with ConfigMgr. Correct forum is here: http://social.technet.microsoft.com/Forums/en-US/home?forum=compliancemanagement
-
SCCM 2012 with SCM - support for only Windows?
Hello all,
As part of compliance configuration, i came across the Microsoft's Security Compliance Manager 3.0 (latest version) mainly for compliance and remediation. But after going through their docs, I feel SCM is used only on Windows OS (clients or servers).
a] Does SCM support contact with non-Microsoft vendors to import security baselines?
b] Does SCM support audit, compliance and remediation on non-windows OS devices? (clients/servers)
Any help is greatly appreciated.
thanksThis is the wrong forum to ask Security Compliance Manager based questions, it doesn't have any straight relationship with ConfigMgr. Correct forum is here: http://social.technet.microsoft.com/Forums/en-US/home?forum=compliancemanagement
-
SCCM 2012 R2 Agent - Change Language after offline Installation from Agent
Hi there,
we install windows 7 with offline image and integrated clean sccm agent install.
But some machine, all in german, install the agent in english but why.
for a short solution, is it possible to change the language to german?
with best regards
aajExamine ccmsetup.log and see if the German .mst is found and installed at all.
Torsten Meringer | http://www.mssccmfaq.de
Maybe you are looking for
-
I bought a song on iTunes but now it won't play on my iPhone or my laptop??
Bout the song Johnny ringo by crown the empire the other day and it was playing just fine and now it won't play anymore. I tried playing it on both my laptop and my iPhone while logged into my iTunes account and it won't play on either. It just skips
-
Inbound Delivery not getting transferred to GTS
Hi Experts, We are presently implementing GTS 7.2 Customs Management in my company and we are experiencing this issue. Here are steps completed for the document transfer. 1. GTS plugis are activated for the Inbound Delvieries along with other documen
-
Hi. I've just migrated to BT mail so still finding my way around. One thing is bugging me (yes, only one at the moment!). When I open an email, read it and then want to simply move onto the next message, I can't find a way to do it! There's no "Ne
-
Merging two sorted Vectors into one
I wish to write a function that will accept two Vectors which are sorted and merge them into a single sorted Vector. I plan to use the compareTo() function to perform the comparisons between objects. I want the function to do this task for Vectors co
-
I received a message saying that my thumbprints needed updating so I clicked on ok. When I opened IPhoto, all my photos were gone. I do not have them backed up.