ge-aerospace/inno-installers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add MachineAuth 802.1x network configuration installer

Browse Source 
New Inno Setup project that configures shop floor PCs for Machine VLAN
connectivity via 802.1x/ISE authentication.

Features:
- Native Pascal implementation (no external batch files required)
- Silent installation support for deployment automation
- Windows 7/8/10/11 auto-detection
- Automatic network interface detection (wired/wireless)
- Detailed logging and results display

Configures:
- Wired: 802.1x PEAP/MS-CHAPv2 via Corporate Holdings RADIUS
- Wireless: AESFMA SSID with EAP-TLS via Aerospace FreeRADIUS

Usage:
  MachineAuthSetup.exe /VERYSILENT /SUPPRESSMSGBOXES

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-01-19 16:33:39 -05:00
parent 5c07ffe288
commit 803853b125
12 changed files with 879 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
MachineAuth/$PLUGINSDIR/System.dll Normal file
View File

Binary file not shown.

BIN
MachineAuth/$PLUGINSDIR/nsExec.dll Normal file
View File

Binary file not shown.

14
MachineAuth/8021x.xml Normal file
View File

@@ -0,0 +1,14 @@
<?xml version="1.0"?>
<LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1">
<MSM>
<security>
<OneXEnforced>false</OneXEnforced>
<OneXEnabled>true</OneXEnabled>
<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
<cacheUserData>true</cacheUserData>
<authMode>machine</authMode>
<EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames><TrustedRootCA>71 bf 35 6d d6 a5 08 45 22 f7 0d 68 5a 8b e0 71 be ba da a4 </TrustedRootCA><TrustedRootCA>18 ad d0 34 a2 ef 3e 6d c8 8b a2 3f 65 b9 0b d5 0f fe 08 b0 </TrustedRootCA><TrustedRootCA>fd 92 c4 c7 cd 49 d2 8d dd 08 55 1c e2 f0 8b 33 c8 db c4 55 </TrustedRootCA><TrustedRootCA>2b 8f 1b 57 33 0d bb a2 d0 7a 6c 51 f7 0e e9 0d da b9 ad 8e </TrustedRootCA></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>true</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig>
</OneX>
</security>
</MSM>
</LANProfile>

27
MachineAuth/AESFMA.xml Normal file
View File

@@ -0,0 +1,27 @@
<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>AESFMA</name>
<SSIDConfig>
<SSID>
<hex>414553464D41</hex>
<name>AESFMA</name>
</SSID>
<nonBroadcast>false</nonBroadcast>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication>WPA2</authentication>
<encryption>AES</encryption>
<useOneX>true</useOneX>
</authEncryption>
<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
<authMode>machine</authMode>
<EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames><TrustedRootCA>27 f0 c9 a2 2b 28 ce 76 87 b1 15 a2 9e 31 bf 4b 3a bb 18 0f </TrustedRootCA></ServerValidation><DifferentUsername>false</DifferentUsername><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName></EapType></Eap></Config></EapHostConfig></EAPConfig>
</OneX>
</security>
</MSM>
</WLANProfile>

125
MachineAuth/MA3NetworkConfigv4.bat Normal file
View File

@@ -0,0 +1,125 @@
@ECHO OFF
setlocal EnableDelayedExpansion
REM Machine Authentication Network Configuration Batch file to configure shop floor PC for connection to machine VLAN via 802.1x.
REM Connectivity is via standard tech - 802.1x, ACS, and AD group membership (for wired connections) or Device Issued Certificates (for AESFMA)
REM This file needs to be executed with admin privilege from C:\Windows\Options\Packages\GEAerospace_MA_3x4_V01\
REM These files must exist in C:\Windows\Options\Packages\GEAerospace_MA_3x4_V01\
REM - MA3NetworkConfigv4.bat (this file)
REM - 8021x.xml
REM - AESFMA.xml
REM No reboot is required.
REM Script can be run multiple times with no detrimental impact to the machine.
REM This will not remove the connection to GESFMA. It will not change the wired network from the MA 2.0 settings.
REM Machine will experience temporary loss of network as the service is cycled.
REM Works for both wired and wireless machines.
REM Script usually runs to completion in under 30 seconds.
REM Upon completion, machine will have 'native' vault access. Test to confirm.
REM ASSUMPTION THAT WIRED OR WIRELESS INTERFACE FOLLOW STANDARD CONVENTION - Local Area Connection, Local Area Connection 2, Wireless Network Connection, Wireless Network Connection 2 etc
ECHO:
ECHO Configuring machine for Machine Authentication 3.0 VLAN connectivity
ECHO:
REM SEED DEFAULT INTERFACES
REM THE * FOR WIRELESS TREATS THE MACHINE AS WIRED. AESFMA PROFILE IS ADDED TO ALL WIRELESS INTERFACES. THIS ENSURES WIRELESS WORKS SHOULD THE MACHINE MIGRATE FROM WIRED > WIRELESS
SET sf_LNWLC=
SET sf_NW=
SET sf_WNWLC=
SET sf_WinVer=
SET sf_ExecPath=C:\Windows\Options\Packages\GEAerospace_MA_3x4_V01
REM GET WINDOWS VERSION - 7 OR 10. IF NOT WIN10, ASSUME WIN7
FOR /f "tokens=4-5 delims=[.] " %%i in ('ver') DO (
SET sf_WinVer=%%i.%%j
)
IF %sf_WinVer%==10.0 (
goto CONFIGWIN10
)
IF %sf_WinVer%==6.1 (
goto CONFIGWIN7
)
:CONFIGWIN7
REM WIRED OR WIRELESS?
REM CHECK IF CURRENTLY CONNECTED TO WIRED OR WIRELESS
REM FIND CONNECTED LAN INTERFACE THAT STARTS WITH "Local ..." AND WLAN STARTING WITH "Wireless ..." WHICH IS STANDARD CONVENTION
SET sf_LNWLC=Local Area Connection
SET sf_WNWLC=Wireless Network Connection
FOR /f "skip=2 tokens=5*" %%a IN ('netsh interface ipv4 show Interfaces ^| find /V /i "disconnected"') Do (
IF %%a==Local (
SET sf_NW=LAN
goto INTERFACEFOUND
)
IF %%a==Wireless (
SET sf_NW=WLAN
goto INTERFACEFOUND
)
)
:CONFIGWIN10
SET sf_LNWLC=Ethernet
SET sf_WNWLC=Wi-Fi
FOR /f "skip=2 tokens=5*" %%a IN ('netsh interface ipv4 show Interfaces ^| find /V /i "disconnected"') Do (
IF %%a==Ethernet (
SET sf_NW=LAN
goto INTERFACEFOUND
)
IF %%a==Wi-Fi (
SET sf_NW=WLAN
goto INTERFACEFOUND
)
)
:INTERFACEFOUND
ECHO:
ECHO Windows Version = %sf_WinVer%
ECHO LAN Interface = %sf_LNWLC%
ECHO WLAN Interface = %sf_WNWLC%
ECHO Configuring Active Interface = %sf_NW%
ECHO:
REM MAY NOT EXIST BUT SUPPRESS IT TO ALLOW BOTH WIRED AND WIRELESS CONFIG
NET STOP "NetworkAdapterManager"
ECHO:
ECHO Configuring wired interface for 802.1x. HELPMSG 2182 can be ignored.
ECHO:
REM CONFIG WIRED FOR 802.1x
sc config dot3svc start= auto
NET START "Wired AutoConfig" /n
ECHO:
ECHO Importing to wired interface "%sf_LNWLC%"
ECHO:
netsh lan add profile filename="%sf_ExecPath%\8021x.xml" interface="%sf_LNWLC%"
ECHO:
ECHO Configuring wireless interface for 802.1x. HELPMSG 2182 can be ignored.
ECHO:
REM ADD AESFMA WIRELESS SSID
sc config Wlansvc start= auto
NET START "WLAN AutoConfig" /n
ECHO:
ECHO Importing to wireless interface "%sf_WNWLC%"
ECHO:
netsh wlan add profile filename="%sf_ExecPath%\AESFMA.xml" interface="%sf_WNWLC%"
REM REFRESH NETWORK. IF MACHINE WAS ID AS WIRED, STOP WIRELESS AND CYCLE LAN.
if %sf_NW%==LAN (
REM NET STOP "WLAN AutoConfig" /n
netsh lan reconnect interface="%sf_LNWLC%"
)
REM REFRESH NETWORK. IF MACHINE WAS ID AS WIRELESS, STOP WIRED AND CYCLE WLAN.
if %sf_NW%==WLAN (
REM NET STOP "Wired AutoConfig" /n
netsh wlan connect name=AESFMA ssid=AESFMA interface="%sf_WNWLC%"
)
NET START "NetworkAdapterManager"
ECHO:
ECHO Cycling Network Connections ...
ECHO:
REM GIVE NETWORK TIME TO REFRESH
timeout /T 10 /NOBREAK
EXIT

503
MachineAuth/MachineAuth.iss Normal file
View File

@@ -0,0 +1,503 @@
; ============================================================================
; Machine Authentication 3.0 Network Configuration
; Configures shop floor PCs for 802.1x/ISE Machine VLAN connectivity
; ============================================================================
;
; This installer configures:
; - Wired network: 802.1x using Corporate Holdings RADIUS servers
; - Wireless network: AESFMA SSID using Aerospace FreeRADIUS servers
;
; Silent Installation:
; MachineAuthSetup.exe /VERYSILENT /SUPPRESSMSGBOXES /LOG="C:\ma3.log"
;
; ============================================================================
[Setup]
AppId={{8A3B4C5D-6E7F-8901-2345-6789ABCDEF01}}
AppName=Machine Authentication 3.0
AppVersion=4.0
AppPublisher=GE Aerospace
DefaultDirName={tmp}\MachineAuth
CreateAppDir=no
PrivilegesRequired=admin
OutputDir=Output
OutputBaseFilename=MachineAuthSetup
SolidCompression=yes
Compression=lzma2
WizardStyle=modern
SetupIconFile=gea-logo.ico
WizardImageFile=banner.bmp
WizardSmallImageFile=banner-sm.bmp
DisableWelcomePage=no
DisableDirPage=yes
DisableProgramGroupPage=yes
DisableReadyPage=no
DisableFinishedPage=no
Uninstallable=no
[Languages]
Name: "english"; MessagesFile: "compiler:Default.isl"
[Messages]
WelcomeLabel2=This will configure your PC for Machine Authentication 3.0 VLAN connectivity.%n%nThis configures 802.1x authentication for both wired and wireless network interfaces.%n%nYour network connection will be briefly interrupted during configuration.%n%nClick Next to continue.
[Files]
; Include the XML profile files - extract to temp
Source: "8021x.xml"; DestDir: "{tmp}"; Flags: ignoreversion deleteafterinstall
Source: "AESFMA.xml"; DestDir: "{tmp}"; Flags: ignoreversion deleteafterinstall
[Code]
const
// Network interface names by Windows version
WIN7_WIRED = 'Local Area Connection';
WIN7_WIRELESS = 'Wireless Network Connection';
WIN10_WIRED = 'Ethernet';
WIN10_WIRELESS = 'Wi-Fi';
// Network types
NET_WIRED = 1;
NET_WIRELESS = 2;
NET_UNKNOWN = 0;
var
ProgressPage: TOutputProgressWizardPage;
ResultsMemo: TNewMemo;
LogMessages: String;
// ============================================================================
// LOGGING FUNCTIONS
// ============================================================================
procedure LogMsg(const Msg: String);
begin
LogMessages := LogMessages + Msg + #13#10;
Log(Msg);
end;
// ============================================================================
// UTILITY FUNCTIONS
// ============================================================================
function IsWindows10OrLater: Boolean;
var
Version: TWindowsVersion;
begin
GetWindowsVersionEx(Version);
Result := (Version.Major >= 10);
end;
function GetWiredInterfaceName: String;
begin
if IsWindows10OrLater then
Result := WIN10_WIRED
else
Result := WIN7_WIRED;
end;
function GetWirelessInterfaceName: String;
begin
if IsWindows10OrLater then
Result := WIN10_WIRELESS
else
Result := WIN7_WIRELESS;
end;
// Execute a command and return the exit code
function ExecCmd(const Executable, Params: String): Integer;
var
ResultCode: Integer;
begin
LogMsg('Executing: ' + Executable + ' ' + Params);
if Exec(Executable, Params, '', SW_HIDE, ewWaitUntilTerminated, ResultCode) then
Result := ResultCode
else
Result := -1;
LogMsg(' Result: ' + IntToStr(Result));
end;
// Execute a command via cmd.exe
function ExecShell(const Command: String): Integer;
begin
Result := ExecCmd('cmd.exe', '/c ' + Command);
end;
// Execute netsh command
function ExecNetsh(const Params: String): Integer;
begin
Result := ExecCmd('netsh.exe', Params);
end;
// Execute sc command for service control
function ExecSC(const Params: String): Integer;
begin
Result := ExecCmd('sc.exe', Params);
end;
// Execute net command
function ExecNet(const Params: String): Integer;
begin
Result := ExecCmd('net.exe', Params);
end;
// Check if a network interface exists and is connected
function IsInterfaceConnected(const InterfaceName: String; IsWireless: Boolean): Boolean;
var
TempFile: String;
OutputLines: TArrayOfString;
I: Integer;
Line: String;
ResultCode: Integer;
begin
Result := False;
TempFile := ExpandConstant('{tmp}\netcheck_') + IntToStr(Random(99999)) + '.txt';
if IsWireless then
Exec('cmd.exe', '/c netsh wlan show interfaces > "' + TempFile + '" 2>&1', '', SW_HIDE, ewWaitUntilTerminated, ResultCode)
else
Exec('cmd.exe', '/c netsh lan show interfaces > "' + TempFile + '" 2>&1', '', SW_HIDE, ewWaitUntilTerminated, ResultCode);
if FileExists(TempFile) then
begin
if LoadStringsFromFile(TempFile, OutputLines) then
begin
for I := 0 to GetArrayLength(OutputLines) - 1 do
begin
Line := OutputLines[I];
// Check for interface name and connected state
if (Pos(InterfaceName, Line) > 0) then
begin
Result := True;
Break;
end;
// Also check for "State" line showing "connected"
if (Pos('connected', LowerCase(Line)) > 0) and (Pos('disconnected', LowerCase(Line)) = 0) then
begin
Result := True;
end;
end;
end;
DeleteFile(TempFile);
end;
end;
// Detect which network type is currently active
function DetectActiveNetwork: Integer;
var
WiredInterface, WirelessInterface: String;
begin
Result := NET_UNKNOWN;
WiredInterface := GetWiredInterfaceName;
WirelessInterface := GetWirelessInterfaceName;
LogMsg('Detecting active network interface...');
LogMsg(' Wired interface name: ' + WiredInterface);
LogMsg(' Wireless interface name: ' + WirelessInterface);
// Check wired first (preferred)
if IsInterfaceConnected(WiredInterface, False) then
begin
LogMsg(' Active network: WIRED');
Result := NET_WIRED;
end
else if IsInterfaceConnected(WirelessInterface, True) then
begin
LogMsg(' Active network: WIRELESS');
Result := NET_WIRELESS;
end
else
begin
// Default to wired if can't detect
LogMsg(' Could not detect active network, defaulting to WIRED');
Result := NET_WIRED;
end;
end;
// ============================================================================
// SERVICE MANAGEMENT
// ============================================================================
procedure StopService(const ServiceName: String);
begin
LogMsg('Stopping service: ' + ServiceName);
ExecNet('stop "' + ServiceName + '"');
end;
procedure StartService(const ServiceName: String);
begin
LogMsg('Starting service: ' + ServiceName);
ExecNet('start "' + ServiceName + '"');
end;
procedure SetServiceAutoStart(const ServiceName: String);
begin
LogMsg('Setting service to auto-start: ' + ServiceName);
ExecSC('config ' + ServiceName + ' start= auto');
end;
// ============================================================================
// NETWORK CONFIGURATION
// ============================================================================
function ConfigureWiredNetwork: Boolean;
var
InterfaceName, ProfilePath: String;
begin
Result := True;
InterfaceName := GetWiredInterfaceName;
ProfilePath := ExpandConstant('{tmp}\8021x.xml');
LogMsg('');
LogMsg('=== Configuring Wired Network ===');
LogMsg('Interface: ' + InterfaceName);
LogMsg('Profile: ' + ProfilePath);
// Enable and start Wired AutoConfig service
SetServiceAutoStart('dot3svc');
StartService('Wired AutoConfig');
// Small delay for service to start
Sleep(1000);
// Import 802.1x profile to wired interface
LogMsg('Importing 802.1x profile...');
if ExecNetsh('lan add profile filename="' + ProfilePath + '" interface="' + InterfaceName + '"') <> 0 then
begin
// Try without interface specification as fallback
LogMsg('Retrying without interface specification...');
ExecNetsh('lan add profile filename="' + ProfilePath + '"');
end;
LogMsg('Wired network configuration complete.');
end;
function ConfigureWirelessNetwork: Boolean;
var
InterfaceName, ProfilePath: String;
begin
Result := True;
InterfaceName := GetWirelessInterfaceName;
ProfilePath := ExpandConstant('{tmp}\AESFMA.xml');
LogMsg('');
LogMsg('=== Configuring Wireless Network ===');
LogMsg('Interface: ' + InterfaceName);
LogMsg('Profile: ' + ProfilePath);
// Enable and start WLAN AutoConfig service
SetServiceAutoStart('Wlansvc');
StartService('WLAN AutoConfig');
// Small delay for service to start
Sleep(1000);
// Import AESFMA profile to wireless interface
LogMsg('Importing AESFMA profile...');
if ExecNetsh('wlan add profile filename="' + ProfilePath + '" interface="' + InterfaceName + '"') <> 0 then
begin
// Try without interface specification as fallback
LogMsg('Retrying without interface specification...');
ExecNetsh('wlan add profile filename="' + ProfilePath + '"');
end;
LogMsg('Wireless network configuration complete.');
end;
procedure ReconnectNetwork(NetworkType: Integer);
var
WiredInterface, WirelessInterface: String;
begin
WiredInterface := GetWiredInterfaceName;
WirelessInterface := GetWirelessInterfaceName;
LogMsg('');
LogMsg('=== Reconnecting Network ===');
if NetworkType = NET_WIRED then
begin
LogMsg('Reconnecting wired interface...');
ExecNetsh('lan reconnect interface="' + WiredInterface + '"');
end
else if NetworkType = NET_WIRELESS then
begin
LogMsg('Connecting to AESFMA wireless network...');
ExecNetsh('wlan connect name=AESFMA ssid=AESFMA interface="' + WirelessInterface + '"');
end;
end;
// ============================================================================
// MAIN CONFIGURATION PROCEDURE
// ============================================================================
function PerformConfiguration: Boolean;
var
ActiveNetwork: Integer;
WindowsVersion: String;
begin
Result := True;
LogMessages := '';
// Log Windows version
if IsWindows10OrLater then
WindowsVersion := 'Windows 10/11'
else
WindowsVersion := 'Windows 7/8';
LogMsg('Machine Authentication 3.0 Configuration');
LogMsg('========================================');
LogMsg('Windows Version: ' + WindowsVersion);
LogMsg('');
// Stop NetworkAdapterManager if it exists (may not exist on all machines)
LogMsg('Stopping NetworkAdapterManager (if present)...');
StopService('NetworkAdapterManager');
// Detect active network
ActiveNetwork := DetectActiveNetwork;
// Configure wired network
ProgressPage.SetText('Configuring wired network...', '');
ProgressPage.SetProgress(1, 5);
ConfigureWiredNetwork;
// Configure wireless network
ProgressPage.SetText('Configuring wireless network...', '');
ProgressPage.SetProgress(2, 5);
ConfigureWirelessNetwork;
// Reconnect active network
ProgressPage.SetText('Reconnecting network...', '');
ProgressPage.SetProgress(3, 5);
ReconnectNetwork(ActiveNetwork);
// Start NetworkAdapterManager if it was stopped
LogMsg('');
LogMsg('Starting NetworkAdapterManager (if present)...');
StartService('NetworkAdapterManager');
// Wait for network to stabilize
ProgressPage.SetText('Waiting for network to stabilize...', '');
ProgressPage.SetProgress(4, 5);
LogMsg('');
LogMsg('Waiting 10 seconds for network to stabilize...');
Sleep(10000);
ProgressPage.SetProgress(5, 5);
LogMsg('');
LogMsg('========================================');
LogMsg('Configuration complete!');
LogMsg('');
LogMsg('The machine should now have access to the Machine VLAN.');
LogMsg('Test vault access to confirm connectivity.');
end;
// ============================================================================
// WIZARD EVENTS
// ============================================================================
procedure InitializeWizard;
begin
// Create progress page
ProgressPage := CreateOutputProgressPage('Configuring Network',
'Please wait while Machine Authentication 3.0 is configured...');
end;
function InitializeSetup: Boolean;
begin
Result := True;
// Verify admin privileges
if not IsAdmin then
begin
MsgBox('This installer requires administrator privileges.' + #13#10 +
'Please right-click and select "Run as administrator".',
mbError, MB_OK);
Result := False;
end;
end;
procedure CurStepChanged(CurStep: TSetupStep);
var
ResultForm: TSetupForm;
Memo: TNewMemo;
OKButton: TNewButton;
begin
if CurStep = ssPostInstall then
begin
// Show progress page and perform configuration
ProgressPage.Show;
try
PerformConfiguration;
finally
ProgressPage.Hide;
end;
// Show results in non-silent mode
if not WizardSilent then
begin
ResultForm := CreateCustomForm;
ResultForm.Caption := 'Configuration Results';
ResultForm.ClientWidth := 600;
ResultForm.ClientHeight := 450;
ResultForm.Position := poScreenCenter;
Memo := TNewMemo.Create(ResultForm);
Memo.Parent := ResultForm;
Memo.Left := 10;
Memo.Top := 10;
Memo.Width := ResultForm.ClientWidth - 20;
Memo.Height := ResultForm.ClientHeight - 60;
Memo.ScrollBars := ssVertical;
Memo.ReadOnly := True;
Memo.Text := LogMessages;
Memo.Font.Name := 'Consolas';
Memo.Font.Size := 9;
OKButton := TNewButton.Create(ResultForm);
OKButton.Parent := ResultForm;
OKButton.Caption := 'OK';
OKButton.Width := 80;
OKButton.Height := 30;
OKButton.Left := (ResultForm.ClientWidth - OKButton.Width) div 2;
OKButton.Top := ResultForm.ClientHeight - 45;
OKButton.ModalResult := mrOK;
OKButton.Default := True;
ResultForm.ActiveControl := OKButton;
ResultForm.ShowModal;
ResultForm.Free;
end;
end;
end;
function UpdateReadyMemo(Space, NewLine, MemoUserInfoInfo, MemoDirInfo, MemoTypeInfo,
MemoComponentsInfo, MemoGroupInfo, MemoTasksInfo: String): String;
var
WinVer, WiredInt, WirelessInt: String;
begin
if IsWindows10OrLater then
WinVer := 'Windows 10/11'
else
WinVer := 'Windows 7/8';
WiredInt := GetWiredInterfaceName;
WirelessInt := GetWirelessInterfaceName;
Result := 'Machine Authentication 3.0 Configuration' + NewLine +
NewLine +
'The following will be configured:' + NewLine +
NewLine +
Space + 'Windows Version: ' + WinVer + NewLine +
Space + 'Wired Interface: ' + WiredInt + NewLine +
Space + 'Wireless Interface: ' + WirelessInt + NewLine +
NewLine +
'Actions:' + NewLine +
Space + '1. Enable Wired AutoConfig service (dot3svc)' + NewLine +
Space + '2. Import 802.1x profile for wired authentication' + NewLine +
Space + '3. Enable WLAN AutoConfig service (Wlansvc)' + NewLine +
Space + '4. Import AESFMA profile for wireless authentication' + NewLine +
Space + '5. Reconnect active network interface' + NewLine +
NewLine +
'Note: Network will be briefly interrupted during configuration.';
end;

171
MachineAuth/README.md Normal file
View File

@@ -0,0 +1,171 @@
# Machine Authentication 3.0
Configures shop floor PCs for 802.1x/ISE Machine VLAN connectivity with support for both wired and wireless networks.
## Overview
This installer automates the configuration of 802.1x network authentication for GE Aerospace shop floor machines, enabling secure access to the Machine VLAN without requiring user credentials.
## What It Configures
| Network Type | Authentication | Server |
|--------------|----------------|--------|
| Wired | 802.1x PEAP/MS-CHAPv2 | Corporate Holdings RADIUS |
| Wireless | 802.1x EAP-TLS (certificate) | Aerospace FreeRADIUS |
## Features
- **Native Inno Setup Implementation** - All logic in Pascal script, no external batch files
- **Silent Installation Support** - Full automation for deployment tools
- **Windows 7/10/11 Support** - Auto-detects OS and uses appropriate interface names
- **Automatic Network Detection** - Identifies active interface (wired or wireless)
- **Detailed Logging** - Comprehensive log output for troubleshooting
## Usage
### Interactive Installation
1. Run `MachineAuthSetup.exe` as Administrator
2. Review the configuration summary
3. Click Install
4. View results and verify connectivity
### Silent Installation
```batch
MachineAuthSetup.exe /VERYSILENT /SUPPRESSMSGBOXES
```
With logging:
```batch
MachineAuthSetup.exe /VERYSILENT /SUPPRESSMSGBOXES /LOG="C:\ma3_install.log"
```
## Configuration Details
### Wired Network (8021x.xml)
- **EAP Type:** 25 (PEAP)
- **Inner Method:** MS-CHAPv2 (Type 26)
- **Auth Mode:** Machine
- **Credentials:** Windows logon credentials
- **Service:** dot3svc (Wired AutoConfig)
### Wireless Network (AESFMA.xml)
- **SSID:** AESFMA
- **Security:** WPA2-Enterprise, AES
- **EAP Type:** 13 (EAP-TLS)
- **Auth Mode:** Machine (certificate-based)
- **Service:** Wlansvc (WLAN AutoConfig)
## Interface Names
| Windows Version | Wired Interface | Wireless Interface |
|-----------------|-----------------|-------------------|
| Windows 7/8 | Local Area Connection | Wireless Network Connection |
| Windows 10/11 | Ethernet | Wi-Fi |
## Installation Steps
1. Stop NetworkAdapterManager service (if present)
2. Enable and start Wired AutoConfig (dot3svc)
3. Import 802.1x profile to wired interface
4. Enable and start WLAN AutoConfig (Wlansvc)
5. Import AESFMA profile to wireless interface
6. Reconnect active network interface
7. Start NetworkAdapterManager service
8. Wait 10 seconds for network stabilization
## Requirements
- Windows 7, 8, 10, or 11
- Administrator privileges
- SSL certificate for FreeRADIUS (pre-installed on managed machines)
- Standard network interface naming conventions
## Files
```
MachineAuth/
├── MachineAuth.iss # Inno Setup script
├── 8021x.xml # Wired 802.1x profile
├── AESFMA.xml # Wireless AESFMA profile
├── gea-logo.ico # Setup icon
├── banner.bmp # Wizard banner
├── banner-sm.bmp # Wizard small image
└── README.md # This file
```
## Legacy Files (Not Required)
These files are from the original batch-based installer and are not used by the Inno Setup version:
- `MA3NetworkConfigv4.bat` - Original batch script
- `ge_runasuser.exe` - Run-as-user utility
- `RebootDelay.exe` - Reboot delay utility
- `$PLUGINSDIR/` - NSIS plugin remnants
## Troubleshooting
### "Requires administrator privileges"
Right-click the installer and select "Run as administrator"
### Network doesn't reconnect after configuration
1. Manually disconnect and reconnect the network adapter
2. Check Windows Services that dot3svc and/or Wlansvc are running
3. Verify the machine has the required certificates
### AESFMA wireless doesn't connect
- Verify the FreeRADIUS SSL certificate is installed
- Check that the machine is in the correct AD group
- Ensure the wireless adapter supports WPA2-Enterprise
### Wired 802.1x authentication fails
- Verify the machine account is in the correct AD group
- Check that the switch port is configured for 802.1x
- Review the RADIUS server logs for authentication errors
### Check installed profiles
Wired profiles:
```batch
netsh lan show profiles
```
Wireless profiles:
```batch
netsh wlan show profiles
```
### Remove and reinstall profiles
Remove wired profile:
```batch
netsh lan delete profile interface="Ethernet"
```
Remove wireless profile:
```batch
netsh wlan delete profile name="AESFMA"
```
Then run the installer again.
## Building
1. Install [Inno Setup 6.x](https://jrsoftware.org/isdl.php)
2. Open `MachineAuth.iss`
3. Compile (F9)
4. Output: `Output/MachineAuthSetup.exe`
## Technical Notes
- No reboot required
- Brief network interruption during configuration (~10-15 seconds)
- Safe to run multiple times
- Does not remove existing profiles (adds/updates)
## Author
WJDT / GE Aerospace

33
MachineAuth/READMENetwork.txt Normal file
View File

@@ -0,0 +1,33 @@
Configure a Shop Floor Machine's network adapters for 802.1x/ISE
-----------------------------------------------------------------
This file can be run on either Windows 7 or Windows 10 Machines - SFLD, MCE, or Business Imaged.
This package creates/configures wired and wireless interfaces for 802.1x.
The wired network will be configured on the endpoint to use Corporate Holdings RADIUS servers.
The wireless network will be configured to use the new Aerospace FreeRADIUS servers.
This package will work on Legacy LOGON machines.
This package works under the following assumptions:
1) The PC is either Win7 or Win10
2) The default wired interface is named "Local Network Connection" (Win7) or "Ethernet" (Win10)
3) The default wireless interface is named "Wireless Network Connection" (Win7) or "Wi-Fi" (Win10)
4) The machine has the SSL certificate for FreeRADIUS authentication. This is required for AAA
Execution
---------
1) log in as admin
2) extract files to C:\Windows\Options\Packages\GEAerospace_MA_3x4_V01\
3) open command prompt with admin privilege
4) change directory to C:\Windows\Options\Packages\AutomatedMigrationTool\
5) execute file MA3NetworkConfigv4.exe
> Machine will authorize to wired or wireless Machine VLAN without needing a reboot.
> Machine will change IP addresses after running this package.
File list:
- READMENetwork.txt
- MA3NetworkConfig4.bat
- 8021x.xml
- AESFMA.xml

BIN
MachineAuth/banner-sm.bmp Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.6 KiB

BIN
MachineAuth/banner.bmp Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 151 KiB

BIN
MachineAuth/gea-logo.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.4 KiB