//set actual interfaces set interfaces interface-range ACCESS_PORTS member "ge-0/0/[0-40]" // Config interface range as L2 ports set interfaces interface-range ACCESS_PORTS unit 0 family ethernet-switching set protocols dot1x authenticator authentication-profile-name dynamicvlan set protocols dot1x authenticator radius-options use-vlan-id set protocols dot1x authenticator interface ACCESS_PORTS supplicant single set protocols dot1x authenticator interface ACCESS_PORTS transmit-period 10 set protocols dot1x authenticator interface ACCESS_PORTS retries 0 set protocols dot1x authenticator interface ACCESS_PORTS mac-radius set protocols dot1x authenticator interface ACCESS_PORTS supplicant-timeout 10 //set actual reject-vlan and fail-vlan set protocols dot1x authenticator interface ACCESS_PORTS server-reject-vlan default set protocols dot1x authenticator interface ACCESS_PORTS server-fail vlan-name default set protocols dot1x authenticator interface ACCESS_PORTS guest-vlan default //set actual password set access radius-server 172.17.xx secret "xxx" set access profile dynamicvlan authentication-order radius set access profile dynamicvlan radius authentication-server 172.17.xx
set protocols dot1x authenticator interface ACCESS_PORTS mac-radius authentication-protocol pap
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\4] "RolesSupported"=dword:0000000a "FriendlyName"="MD5-Challenge" "Path"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\ 00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,52,00,\ 61,00,73,00,63,00,68,00,61,00,70,00,2e,00,64,00,6c,00,6c,00,00,00 "InvokeUsernameDialog"=dword:00000001 "InvokePasswordDialog"=dword:00000001
Stop-Service IAS Start-Service IAS
$devices=Get-ADUser -SearchBase "ou=802.1x-groups,ou=devices_groups,dc=company,dc=local" -Filter * foreach ($device in $devices) { set-aduser -Identity $device.name -UserPrincipalName ($device.name+"@company.local") -PasswordNeverExpires $true -AllowReversiblePasswordEncryption $true -CannotChangePassword $true Set-ADAccountPassword -Identity $device.name -NewPassword (ConvertTo-SecureString -AsPlainText $device.name -force) }
Source: https://habr.com/ru/post/437408/