Windows 7, RDP and 802.1x authentication - 小众知识

Windows 7, RDP and 802.1x authentication

2013年01月27日 14:18:05 苏内容
  标签: PEAP/WIFI
阅读:7328

If I connect to my computer with RDP, the 802.1x authenticated network disconnects, and therefore also my RDP conection. Windows 7 Professional x64. 802.1x Auth is over LAN/RJ45 so no wlan issues.


What is the system of the Remote Desktop client computer? If it is Windows XP, you may look at this:

Wireless LAN Support in Windows: Frequently Asked Questions
http://technet.microsoft.com/en-us/network/dd727529.aspx

Q. Do Remote Desktop connections work to Windows wireless clients that use 802.1X authentication?

A. Not at this time. All 802.1X-based wireless connections are affected, including those using EAP-TLS or PEAP-MS-CHAP v2. Connections using a static WEP key or WPA-PSK are not affected. Microsoft has addressed this issue in Windows Vista and Windows Server 2008.

If you want to work around this,

The xp sp3 802.1x authenticated pc network is down when use remote desktop connection tools
http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/962e1642-6b09-4b38-ac29-fdc3d90caee3


Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”



I had the same problem, only difference is that I run Windows 8 (x64)

I think I found a solution for 802.1x protected wired networks using PEAP where you have to authenticate yourself using EAP-MSCHAP v2 (i.e. you log in with a username and a password). But I think that this could work for other scenarios as well with a few modifications.

For the steps in the solution I assume the following: (Adjust the commands with the names that apply to your system)

  • You have configured an Ethernet network controller to support 802.1x authentication by following the steps described here: http://windows.microsoft.com/en-sg/windows-vista/enable-802-1x-authentication
    The name of the network controller that connects to the protected network is called Ethernet
  • You have created an XML-file with the login credentials for your network. The file follows the schema defintion for Eap User credentials (Example further down). This file has been saved asEapUserData.xml
  • You have opened a command line window with administrative rights and have navigated to the directory where you save the credentials file (EapUserData.xml)

Example for a Eap Credentials file: (You'll probably only want to change the username and password)

<?xml version="1.0"?><EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
  <EapMethod>
    <eapCommon:Type>25</eapCommon:Type>
    <eapCommon:AuthorId>0</eapCommon:AuthorId>
  </EapMethod>
  <Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1" xmlns:MsPeap="http://www.microsoft.com/provisioning/MsPeapUserPropertiesV1" xmlns:MsChapV2="http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1">
    <baseEap:Eap>
      <baseEap:Type>25</baseEap:Type>
      <MsPeap:EapType>
        <baseEap:Eap>
          <baseEap:Type>26</baseEap:Type>
          <MsChapV2:EapType>
            <MsChapV2:Username>SomeMysticalUser</MsChapV2:Username>
            <MsChapV2:Password>SomeMysticalPassword</MsChapV2:Password>
            <MsChapV2:LogonDomain></MsChapV2:LogonDomain>
          </MsChapV2:EapType>
        </baseEap:Eap>
      </MsPeap:EapType>
    </baseEap:Eap>
  </Credentials></EapHostUserCredentials>

Follow the following steps:

  1. Sice you are currently reading this, it is assumed that you are currently connected to and authenticated in your protected network. Execute the following command to delete your current 802.1x user profile.
    netsh lan delete profile interface=Ethernet
  2. A dialog will probably pop up asking you to provide login credentials which you have just deleted. Press Cancel. As a result you should now be disconnected from the internet or at least the status of the Ethernet network controller should read something like: "Authentication failed"
    Repeat this step anytime the dialog pops up during the next steps.
  3. Since we deleted the profile for LAN-authentication, Windows has just created a new profile for the Ethernet network controller with the default settings. Change these settings to usermode only using the following command:
    netsh lan set profileparameter authMode=userOnly interface=Ethernet
  4. Now, set the user credentials for the connection by getting netsh to parse your credentials XML-file. Use the following command:
    netsh lan set eapuserdata allusers=no filename=EapUserData.xml interface=Ethernet
    Note that we specify the parameter allusers and set it to "no". For some reason we have to first set the credentials for the current user only and then have to set it for all users. After this step you should be connected to and authenticated in your protected network again.
  5. Finally, set the EAP user data to be used for all users using the following command:
    netsh lan set eapuserdata allusers=yes filename=EapUserData.xml interface=Ethernet

All users on your local computer (as well as users that log onto the local computer from a remote location should now be able to login to the network using the provided authentication.

In Windows 8 for example, you will (hopefully) notice that the network connection icon on the login screen shows the status Connected even before any user is logged in. I assume this is because the parameter allusers also includes NT-Authority and System accounts.


扩展阅读