Manual Configuration

Overview

Configure 802.1X EAP-TLS manually on non-domain-joined Windows machines or for testing.

Prerequisites

Client certificate imported to Local Machine\Personal store
DOMUS-ROOT-CA trusted in Local Machine\Root store
Administrative access

Step 1: Enable Wired AutoConfig Service

Enable Wired AutoConfig Service

The Wired AutoConfig service (dot3svc) must be running for 802.1X authentication.

# Set service to automatic and start
Set-Service -Name dot3svc -StartupType Automatic
Start-Service -Name dot3svc

# Verify
Get-Service dot3svc

Expected output:

Status   Name               DisplayName
------   ----               -----------
Running  dot3svc            Wired AutoConfig

Step 2: Configure via GUI

Open Network Connections (ncpa.cpl)
Right-click Ethernet adapter → Properties
Click Authentication tab
Check: Enable IEEE 802.1X authentication
Choose: Microsoft: Smart Card or other certificate
Click Settings:
- Check: Use a certificate on this computer
- Check: Use simple certificate selection
- Trusted Root CAs: Check DOMUS-ROOT-CA

Step 3: Configure via netsh (CLI)

rem Enable 802.1X on interface
netsh lan set eapuserdata /interface="Ethernet" /enabled:yes

rem Set authentication mode
netsh lan set profileparameter /interface="Ethernet" authMode=machineOrUser

rem Show current config
netsh lan show interfaces
netsh lan show profiles

Step 4: Configure via Registry

# Enable 802.1X on specific interface
# Get interface GUID first
Get-NetAdapter | Select-Object Name, InterfaceGuid

# Create registry key for 802.1X
$guid = "{YOUR-INTERFACE-GUID}"
$path = "HKLM:\SOFTWARE\Microsoft\dot3svc\Interfaces\$guid"
New-Item -Path $path -Force
Set-ItemProperty -Path $path -Name "Enable802.1x" -Value 1 -Type DWord

Step 5: Verify Configuration

# Check 802.1X status
netsh lan show interfaces

# Expected output shows:
# 802.1x enabled: Yes
# Authentication: Success

# Check certificate being used
Get-ChildItem Cert:\LocalMachine\My | Where-Object {{ $_.Subject -like "*inside.domusdigitalis.dev*" }}

Step 6: WiFi Configuration

For WiFi 802.1X EAP-TLS:

Open Network & Internet Settings
Click WiFi → Manage known networks
Add network manually:
- Network name: Domus-Secure
- Security: WPA2-Enterprise
- Choose: Microsoft: Smart Card or other certificate
- Configure certificate settings same as wired

Or via netsh:

rem Export existing profile
netsh wlan export profile name="Domus-Secure" folder=C:\temp

rem Edit XML and import
netsh wlan add profile filename="C:\temp{wifi-ssid}.xml"

Example WiFi Profile XML

<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
    <name>Domus-Secure</name>
    <SSIDConfig>
        <SSID>
            <name>Domus-Secure</name>
        </SSID>
    </SSIDConfig>
    <connectionType>ESS</connectionType>
    <connectionMode>auto</connectionMode>
    <MSM>
        <security>
            <authEncryption>
                <authentication>WPA2</authentication>
                <encryption>AES</encryption>
                <useOneX>true</useOneX>
            </authEncryption>
            <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
                <authMode>machine</authMode>
                <EAPConfig>
                    <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                        <EapMethod>
                            <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
                            <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
                            <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
                            <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
                        </EapMethod>
                    </EapHostConfig>
                </EAPConfig>
            </OneX>
        </security>
    </MSM>
</WLANProfile>