EAPOLconf(1) EAPOLconf manual EAPOLconf(1) NAME EAPOLconf - modifies the EAPOL configuration for specified NIC SYNOPSIS EAPOLconf -n -s -m set|modify [-c set|unset] [-g set|unset] [-e set|unset] [-t set|unset] [-o set|unset] [-i set|unset] [-f ] DESCRIPTION EAPOLconf tries to give the possibility to modify the configuration of Windows' EAPOL implementation. So it tries to be some kind of command line version of the GUI dialog that appears after clicking on "Properties" on the "Authentication" tab of a wirless LAN entry's properties dialog. EAPOLconf directly manipulates specific regsitry values and doesn't use any API function. (So it's better to think of EAPOLconf as an "ugly hack".) These registry values (REG_BINARY) contain all checkbox and radio button settings presented to you by Windows in the mentioned dialog. At the moment it works for EAPOL configuration values of wireless LAN NICs only. And since the format and meaning of the bytes which make up such EAPOL configuration registry values is unknown except for some special cases, EAPOLconf might be more or - more likely - less usefull for purposes other than these special ones. EAPOLconf has two modes: "set" and "modify" . modify works for those EAPOL registry values, which have the right length and format, otherwise it will tell you, that you can't use the modify mode. The set mode (over)writes a value with "new" bytes, totally unrelated to the previous contents of the value. So you have to decide which switch should be turned on or off and provide every set/unset option you can see below (OPTIONS). At the moment EAPOLconf can write and understand exactly one format (one "special case") which has 106 bytes and where EAP-TLS is enabled. The modify mode allows you to modify single options in such a EAPOL registry value. The set mode writes such values with EAP-TLS and IEEE 802.1X turned on silently. I think I didn't explain the whole thing very well - perhaps the EXAMPLES do a better job - have a look at them! OPTIONS -n Specifies the name of the wireless NIC. -s Specifies the SSID of the wireless LAN preferred entry to modify or (re)set. -m set|modify Mode selection. With "modify" EAPOLconf tries to modify one or configuration items. But this mode can only be used where the existing configuration registry value fullfills certain conditions. "set" forces EAPOLconf to write a new configuration and thus you have to provide all options following this paragraph (except -f). -c set|unset Enables/Disables the checkbox "Authenticate as computer ..." . -g set|unset Enables/Disables the checkbox "Authenticate as guest ..." . -e set|unset "set" chooses the radio button "Use smartcard ..." . "unset" chooses the radio button "Use certificate ..." . -t set|unset Enables/Disables the checkbox "Check server certificate ..." . -o set|unset Enables/Disables the checkbox "Use another username ..." . -i set|unset Enables/Disables the checkbox "Use simple certificate choice ..." . -f In the GUI dialog there is the possibility to specify a CA certificate you want to trust while checking the server's certificate. You can do this with EAPOLconf, too, but you have to specify the fingerprint of the CA certificate (20 bytes). At the moment you can specify one trusted CA certificate only! There two possible ways/formats of a fingerprint: "ff a3 c3 df 56 69 f3 23 0f 47 76 63 c6 a0 60 0f 66 b6 f6 27" or "ffa3c3df5669f3230f477663c6a0600f66b6f627" The first one is very easy to obtain, just copy&paste the fingerprint shown in mmc's certificate snap-in. There, chose a certificate's properties and details and search the list box for "fingerprint", chose that line/entry and you'll the fingerprint and can copy it. EXAMPLES EAPOLconf -n "Dell TrueMobile 1150 Series Wireless LAN Mini PCI Card" -s TEST -m set -c set -g unset -e set -t set -o unset -i set Rewrites the configuration registry value of the wireless LAN preferred entry with the SSID "TEST" of the wireless NIC with the name "Dell TrueMobile 1150 Series Wireless LAN Mini PCI Card". It enables IEEE 802.1X and EAP-TLS silently and furthermore enables authentication as computer (-c), disables authentication as guest (-g), chooses the use of a certificate instead of a smartcard (-e), enables server certificate verification (-t), disables the use of another username (-o) and enables the use of the simple certificate choice dialog (-i). As you might have recognized, these are the defaults of Windows for a configuration with IEEE 802.1X and EAP-TLS. EAPOLconf -n "Dell TrueMobile 1150 Series Wireless LAN Mini PCI Card" -s TEST -m set -c set -g unset -e set -t set -o unset -i set -f "ff a3 c3 df 56 69 f3 23 0f 47 76 63 c6 a0 60 0f 66 b6 f6 27" This is the same example again, but a fingerprint given. So the CA certificate with this fingerprint will be trusted ("checked" in the GUI dialog). Of course providing a fingerprint makes sense with a "set" for option -t, only. EAPOLconf -n "Dell TrueMobile 1150 Series Wireless LAN Mini PCI Card" -s WNET -m modify -t unset -o set Here the modify mode is used and thus not all set/unset option are need, since EAPOLconf will try to modify an existing configuration value with the informatiuon given. Here the command line says: disable checking of server certificate (-t) and enable the use of another username. Again, like in DESCRIPTION, this works for some case only, where the existing configuration value has a certain format and length. NOTES This program hasn't been tested on many setups! And it's use might be very limited to the one case I basically wrote it for: same thing what the second example (see EXAMPLES) does. The problem is the format of the registry value used by the EAPOL implementation of Windows - it's more or less unknown and I deciphered it for the above mentioned use case, only. Although, "deciphering" is not that hard - you just have to have time and try every combination of settings to find out which byte does what ;-) ... The registry values in question reside here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\ Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} The "X"s are the GUID of the NIC. The values in this registry key have numbers (counted from 1) as names and represent the list if wireless LAN preferred networks. The type is REG_BINARY. EAPOLconf is known to work on Windows XP SP2, only. It might work on other version or not. BUGS Well, this is a very "quick and dirty" tool - so there might be tons of bugs ... ;-) AUTHOR Written by Joachim Förster . COPYRIGHT Copyright (C) 2006 Joachim Förster This program is free software; see the source for copying conditions. There is NO warrenty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. EAPOLconf(1) $LastChangedDate: 2006-09-13 14:43:18 +0200 (Mi, 13 Sep 2006) $