GPO Configuration

Overview

Deploy 802.1X EAP-TLS configuration to domain-joined Windows machines using Group Policy.

Prerequisites

  • Domain-joined Windows workstation

  • DOMUS-ROOT-CA trusted via GPO

  • Client certificate in Local Machine store

  • Active Directory with Group Policy Management

Step 1: Create GPO

# On Domain Controller
New-GPO -Name "802.1X Wired EAP-TLS" -Comment "Wired 802.1X with Vault PKI certificates"

Step 2: Configure Wired AutoConfig Service

Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → System Services

Set Wired AutoConfig to Automatic.

Step 3: Configure Wired Network Policy

Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Wired Network (IEEE 802.3) Policies

  1. Right-click → Create A New Wired Network Policy

  2. Name: Domus Wired 802.1X

  3. Check: Use Windows Wired Auto Config service

Step 4: Configure Authentication

In the policy properties:

  1. Authentication Mode: User or Computer authentication

  2. Authentication Method: Smart Card or other certificate

  3. Click Properties:

    • Check: Use a certificate on this computer

    • Check: Use simple certificate selection

    • Trusted Root CAs: Select DOMUS-ROOT-CA

Step 5: Configure Advanced Settings

  1. Enable single sign on for this network

  2. Perform immediately before user logon

Step 6: Link GPO

# Link to target OU
New-GPLink -Name "802.1X Wired EAP-TLS" -Target "OU=Workstations,DC=inside,DC=domusdigitalis,DC=dev"

Step 7: Verify Deployment

# Force GPO update
gpupdate /force

# Check applied policies
gpresult /r | Select-String "802.1X"

# Check Wired AutoConfig service
Get-Service dot3svc

Troubleshooting GPO Deployment

# Check GPO application
gpresult /h gpo-report.html

# Check event log for 802.1X
Get-WinEvent -LogName "Microsoft-Windows-Wired-AutoConfig/Operational" -MaxEvents 20

See Also