How to enable computer-only authentication for a 802.1X-based network in Windows Vista, in Windows Server 2008, and in Windows XP Service Pack 3

View products that this article applies to.

Expand all | Collapse all

INTRODUCTION

This article discusses how to enable computer-only authentication for an 802.1X-based network in Windows Vista, in Windows Server 2008 and in Windows XP Service Pack 3 (SP3).

Note The netsh wlan command that is described in this article exists only in Windows Vista and in Windows Server 2008. The netsh lan command exists only in Windows Vista, in Windows Server 2008 and in Windows XP Service Pack 3. These commands do not exist in versions of Windows XP that are earlier than Windows XP Service Pack 3.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

949984 (http://support.microsoft.com/kb/949984/ ) Changes to the 802.1X-based wired network connection settings in Windows XP Service Pack 3

Windows Server 2003 and versions of Windows XP that are earlier than Windows XP SP3 store 802.1X computer and user authentication settings in the AuthMode registry entry in the following registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global

However, the AuthMode registry entry is not included in the following Windows operating systems:

Windows Vista
Windows Server 2008
Windows XP SP3

Note The AuthMode registry entry is valid for Windows XP SP3 wireless connections. However, the AuthMode registry entry is not valid for Windows XP SP3 wired 802.1X-based networks.

If computer-only authentication is configured in an environment that has Windows XP-based computers or Windows Server 2003-based computers, the settings are not applied to Windows Vista-based computers or to Windows Server 2008-based computers. To set the authentication mode in Windows Vista, in Windows Server 2008, or in Windows XP SP3, you must modify the 802.1X network profile.

To enable computer-only authentication for an 802.X-based network in Windows Vista and in Windows Server 2008 for a wired network connection and for a wireless network connection, or in Windows XP SP3 for a wired network connection, follow these steps:

Perform one of the following procedures, depending on whether you are using a wired or a wireless network connection.
- Wired network connection (on Windows Vista or Windows Server 2008)
  
  Create an 802.1X-based network profile on a wired network connection. To do this, follow these steps:
  1. Right-click the network connection icon in the notification area at the far right of the taskbar, and then click Network and Sharing Center.
  2. Under Tasks, click Manage Network Connections.
  3. Right-click the network connection that you want to configure, and then click Properties.
    
    Collapse this imageExpand this image
    If you are prompted for an administrator password or confirmation, type your password or click Continue.
  4. Click the Authentication tab, specify the settings that you want, and then click OK.
- Wireless network connection (on Windows Vista, Windows Server 2008, or Windows XP SP3)
  
  Create an 802.1X-based network profile on a wireless network connection. To do this, follow these steps:
  1. Right-click the network connection icon in the notification area at the far right of the taskbar, and then click Network and Sharing Center.
  2. Under Tasks, click Manage Wireless Networks.
  3. Click Add. The Wireless Network Wizard starts.
  4. Follow the instructions that are displayed on the screen to create a wireless network profile.
Export the network profile information to an XML file. To do this, follow these steps:
1. Click Start
  Collapse this imageExpand this image
  , type cmd in the Start Search box, right-click cmd in the Programs list, and then click Run as administrator.
  
  Collapse this imageExpand this image
  If you are prompted for an administrator password or confirmation, type your password or click Continue.
2. At the command prompt, type one of the following lines, depending on whether you are using a wired or a wireless network connection, and then press ENTER.
  
  Note Windows XP SP3 and earlier versions of Windows XP do not support the netsh wlan command.
  - If you are using a wired network connection, type the following line:
    netsh lan export profile folder=c:\
  - If you are using a wireless network connection, type the following line:
    netsh wlan export profile folder=c:\
Modify the network profile in the XML file to specify computer-only authentication. To do this, follow these steps:
1. Start Notepad, and then open the XML file.
2. In the XML file, locate the section that contains the OneX settings. The following is an example of this section:
  <OneX xmlns="http://www.microsoft.com/networking/OneX/v1"> <authMode>machineOrUser</authMode> <EAPConfig>...</EAPConfig> </OneX>
3. Modify the <authMode> line as follows:
  <authMode>machine</authMode>
  The following is an example of the section that contains the OneX settings after it is modified:
  <OneX xmlns="http://www.microsoft.com/networking/OneX/v1"> <authMode>machine</authMode> <EAPConfig>...</EAPConfig> </OneX>
4. Save, and then close the XML file.
Add the network profile that you modified. To do this, type one of the following lines at the command prompt, depending on whether the network profile is for a wired or a wireless network connection. Then, press ENTER.
- If the network profile is for a wired network connection, type the following line:
  netsh lan add profile filename=PathofXMLFile
- If the network profile is for a wireless network connection, type the following line:
  netsh wlan add profile filename=PathOfXMLFile

The AuthMode registry entry is only valid for Windows XP SP3 wireless network connections. The following table lists the authentications mode for each value of the AuthMode registry entry.

Collapse this tableExpand this table

Value	Authentication mode
0	Use the default Windows XP authentication
1	Always perform user authentication when a user logs on
2	Perform computer authentication only

To set the value of the AuthMode registry entry for Windows XP SP3 wireless connections, follow these steps:

Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
Double-click AuthMode, type the authentication mode in the Value box, and then click OK.
Exit Registry Editor.
Restart the computer.

The authMode (OneX) element specifies the type of credentials that are used for authentication. The following table describes the values that the authMode (OneX) element uses.

Collapse this tableExpand this table

Value	Description
machineOrUser	Use computer-only credentials or user-only credentials. When a user is logged on, the user's credentials are used for authentication. When no user is logged on, computer-only credentials are used for authentication.
machine	Use computer-only credentials.
user	Use user-only credentials.
guest	Use guest-only credentials.

For more information about the authMode (OneX) element, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms706279.aspx (http://msdn2.microsoft.com/en-us/library/ms706279.aspx)

For more information about new networking features in Windows Server 2008 and in Windows Vista, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/bb726965.aspx (http://technet.microsoft.com/en-us/library/bb726965.aspx)