Add MachineAuth 802.1x network configuration installer

New Inno Setup project that configures shop floor PCs for Machine VLAN connectivity via 802.1x/ISE authentication. Features: - Native Pascal implementation (no external batch files required) - Silent installation support for deployment automation - Windows 7/8/10/11 auto-detection - Automatic network interface detection (wired/wireless) - Detailed logging and results display Configures: - Wired: 802.1x PEAP/MS-CHAPv2 via Corporate Holdings RADIUS - Wireless: AESFMA SSID with EAP-TLS via Aerospace FreeRADIUS Usage: MachineAuthSetup.exe /VERYSILENT /SUPPRESSMSGBOXES Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-19 16:33:39 -05:00
parent 5c07ffe288
commit 803853b125
12 changed files with 879 additions and 1 deletions
--- a/MachineAuth/$PLUGINSDIR/System.dll
+++ b/MachineAuth/$PLUGINSDIR/System.dll
--- a/MachineAuth/$PLUGINSDIR/nsExec.dll
+++ b/MachineAuth/$PLUGINSDIR/nsExec.dll
--- a/MachineAuth/8021x.xml
+++ b/MachineAuth/8021x.xml
@@ -0,0 +1,14 @@
 <?xml version="1.0"?>
 <LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1">
 	<MSM>
 		<security>
 			<OneXEnforced>false</OneXEnforced>
 			<OneXEnabled>true</OneXEnabled>
 			<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
 				<cacheUserData>true</cacheUserData>
 				<authMode>machine</authMode>
 				<EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames><TrustedRootCA>71 bf 35 6d d6 a5 08 45 22 f7 0d 68 5a 8b e0 71 be ba da a4 </TrustedRootCA><TrustedRootCA>18 ad d0 34 a2 ef 3e 6d c8 8b a2 3f 65 b9 0b d5 0f fe 08 b0 </TrustedRootCA><TrustedRootCA>fd 92 c4 c7 cd 49 d2 8d dd 08 55 1c e2 f0 8b 33 c8 db c4 55 </TrustedRootCA><TrustedRootCA>2b 8f 1b 57 33 0d bb a2 d0 7a 6c 51 f7 0e e9 0d da b9 ad 8e </TrustedRootCA></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>true</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig>
 			</OneX>
 		</security>
 	</MSM>
 </LANProfile>
--- a/MachineAuth/AESFMA.xml
+++ b/MachineAuth/AESFMA.xml
@@ -0,0 +1,27 @@
 <?xml version="1.0"?>
 <WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
 	<name>AESFMA</name>
 	<SSIDConfig>
 		<SSID>
 			<hex>414553464D41</hex>
 			<name>AESFMA</name>
 		</SSID>
 		<nonBroadcast>false</nonBroadcast>
 	</SSIDConfig>
 	<connectionType>ESS</connectionType>
 	<connectionMode>auto</connectionMode>
 	<autoSwitch>false</autoSwitch>
 	<MSM>
 		<security>
 			<authEncryption>
 				<authentication>WPA2</authentication>
 				<encryption>AES</encryption>
 				<useOneX>true</useOneX>
 			</authEncryption>
 			<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
 				<authMode>machine</authMode>
 				<EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames><TrustedRootCA>27 f0 c9 a2 2b 28 ce 76 87 b1 15 a2 9e 31 bf 4b 3a bb 18 0f </TrustedRootCA></ServerValidation><DifferentUsername>false</DifferentUsername><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName></EapType></Eap></Config></EapHostConfig></EAPConfig>
 			</OneX>
 		</security>
 	</MSM>
 </WLANProfile>
--- a/MachineAuth/MA3NetworkConfigv4.bat
+++ b/MachineAuth/MA3NetworkConfigv4.bat
@@ -0,0 +1,125 @@
@ECHO OFF
 setlocal EnableDelayedExpansion
 REM Machine Authentication Network Configuration Batch file to configure shop floor PC for connection to machine VLAN via 802.1x.
 REM Connectivity is via standard tech - 802.1x, ACS, and AD group membership (for wired connections) or Device Issued Certificates (for AESFMA)
 REM This file needs to be executed with admin privilege from C:\Windows\Options\Packages\GEAerospace_MA_3x4_V01\
 REM These files must exist in C:\Windows\Options\Packages\GEAerospace_MA_3x4_V01\
 REM - MA3NetworkConfigv4.bat (this file)
 REM - 8021x.xml
 REM - AESFMA.xml
 REM No reboot is required.
 REM Script can be run multiple times with no detrimental impact to the machine.
 REM This will not remove the connection to GESFMA. It will not change the wired network from the MA 2.0 settings.
 REM Machine will experience temporary loss of network as the service is cycled.
 REM Works for both wired and wireless machines.
 REM Script usually runs to completion in under 30 seconds.
 REM Upon completion, machine will have 'native' vault access. Test to confirm.
 REM ASSUMPTION THAT WIRED OR WIRELESS INTERFACE FOLLOW STANDARD CONVENTION - Local Area Connection, Local Area Connection 2, Wireless Network Connection, Wireless Network Connection 2 etc
 ECHO:
 ECHO Configuring machine for Machine Authentication 3.0 VLAN connectivity
 ECHO:
 REM SEED DEFAULT INTERFACES
 REM THE * FOR WIRELESS TREATS THE MACHINE AS WIRED. AESFMA PROFILE IS ADDED TO ALL WIRELESS INTERFACES. THIS ENSURES WIRELESS WORKS SHOULD THE MACHINE MIGRATE FROM WIRED > WIRELESS
 SET sf_LNWLC=
 SET sf_NW=
 SET sf_WNWLC=
 SET sf_WinVer=
 SET sf_ExecPath=C:\Windows\Options\Packages\GEAerospace_MA_3x4_V01
 REM GET WINDOWS VERSION - 7 OR 10. IF NOT WIN10, ASSUME WIN7
 FOR /f "tokens=4-5 delims=[.] " %%i in ('ver') DO (
  SET sf_WinVer=%%i.%%j
 )
 IF %sf_WinVer%==10.0 (
  goto CONFIGWIN10
 )
 IF %sf_WinVer%==6.1 (
  goto CONFIGWIN7
 )
 :CONFIGWIN7
 REM WIRED OR WIRELESS?
 REM CHECK IF CURRENTLY CONNECTED TO WIRED OR WIRELESS
 REM FIND CONNECTED LAN INTERFACE THAT STARTS WITH "Local ..." AND WLAN STARTING WITH "Wireless ..." WHICH IS STANDARD CONVENTION
 SET sf_LNWLC=Local Area Connection
 SET sf_WNWLC=Wireless Network Connection
 FOR /f "skip=2 tokens=5*" %%a IN ('netsh interface ipv4 show Interfaces ^| find /V /i "disconnected"') Do (
    IF %%a==Local (
      SET sf_NW=LAN
 	  goto INTERFACEFOUND
 	)
    IF %%a==Wireless (
      SET sf_NW=WLAN
 	  goto INTERFACEFOUND
 	)
 )
 :CONFIGWIN10
 SET sf_LNWLC=Ethernet
 SET sf_WNWLC=Wi-Fi
 FOR /f "skip=2 tokens=5*" %%a IN ('netsh interface ipv4 show Interfaces ^| find /V /i "disconnected"') Do (
    IF %%a==Ethernet (
      SET sf_NW=LAN
 	  goto INTERFACEFOUND
 	)
 	IF %%a==Wi-Fi (
      SET sf_NW=WLAN
 	  goto INTERFACEFOUND
 	)
 )
 :INTERFACEFOUND
 ECHO:
 ECHO Windows Version = %sf_WinVer%
 ECHO LAN Interface = %sf_LNWLC%
 ECHO WLAN Interface = %sf_WNWLC%
 ECHO Configuring Active Interface = %sf_NW%
 ECHO:
 REM MAY NOT EXIST BUT SUPPRESS IT TO ALLOW BOTH WIRED AND WIRELESS CONFIG
 NET STOP "NetworkAdapterManager"
 ECHO:
 ECHO Configuring wired interface for 802.1x. HELPMSG 2182 can be ignored.
 ECHO:
 REM CONFIG WIRED FOR 802.1x
 sc config dot3svc start= auto
 NET START "Wired AutoConfig" /n
 ECHO:
 ECHO Importing to wired interface "%sf_LNWLC%"
 ECHO:
 netsh lan add profile filename="%sf_ExecPath%\8021x.xml" interface="%sf_LNWLC%"
 ECHO:
 ECHO Configuring wireless interface for 802.1x. HELPMSG 2182 can be ignored.
 ECHO:
 REM ADD AESFMA WIRELESS SSID
 sc config Wlansvc start= auto
 NET START "WLAN AutoConfig" /n
 ECHO:
 ECHO Importing to wireless interface "%sf_WNWLC%"
 ECHO:
 netsh wlan add profile filename="%sf_ExecPath%\AESFMA.xml" interface="%sf_WNWLC%"
 REM REFRESH NETWORK. IF MACHINE WAS ID AS WIRED, STOP WIRELESS AND CYCLE LAN.
 if %sf_NW%==LAN (
 REM  NET STOP "WLAN AutoConfig" /n
  netsh lan reconnect interface="%sf_LNWLC%"
 )
 REM REFRESH NETWORK. IF MACHINE WAS ID AS WIRELESS, STOP WIRED AND CYCLE WLAN.
 if %sf_NW%==WLAN (
 REM  NET STOP "Wired AutoConfig" /n
  netsh wlan connect name=AESFMA ssid=AESFMA interface="%sf_WNWLC%"
 )
 NET START "NetworkAdapterManager"
 ECHO:
 ECHO Cycling Network Connections ...
 ECHO: 
 REM GIVE NETWORK TIME TO REFRESH
 timeout /T 10 /NOBREAK
 EXIT
--- a/MachineAuth/MachineAuth.iss
+++ b/MachineAuth/MachineAuth.iss
@@ -0,0 +1,503 @@
 ; ============================================================================
 ; Machine Authentication 3.0 Network Configuration
 ; Configures shop floor PCs for 802.1x/ISE Machine VLAN connectivity
 ; ============================================================================
 ;
 ; This installer configures:
 ; - Wired network: 802.1x using Corporate Holdings RADIUS servers
 ; - Wireless network: AESFMA SSID using Aerospace FreeRADIUS servers
 ;
 ; Silent Installation:
 ;   MachineAuthSetup.exe /VERYSILENT /SUPPRESSMSGBOXES /LOG="C:\ma3.log"
 ;
 ; ============================================================================
 [Setup]
 AppId={{8A3B4C5D-6E7F-8901-2345-6789ABCDEF01}}
 AppName=Machine Authentication 3.0
 AppVersion=4.0
 AppPublisher=GE Aerospace
 DefaultDirName={tmp}\MachineAuth
 CreateAppDir=no
 PrivilegesRequired=admin
 OutputDir=Output
 OutputBaseFilename=MachineAuthSetup
 SolidCompression=yes
 Compression=lzma2
 WizardStyle=modern
 SetupIconFile=gea-logo.ico
 WizardImageFile=banner.bmp
 WizardSmallImageFile=banner-sm.bmp
 DisableWelcomePage=no
 DisableDirPage=yes
 DisableProgramGroupPage=yes
 DisableReadyPage=no
 DisableFinishedPage=no
 Uninstallable=no
 [Languages]
 Name: "english"; MessagesFile: "compiler:Default.isl"
 [Messages]
 WelcomeLabel2=This will configure your PC for Machine Authentication 3.0 VLAN connectivity.%n%nThis configures 802.1x authentication for both wired and wireless network interfaces.%n%nYour network connection will be briefly interrupted during configuration.%n%nClick Next to continue.
 [Files]
 ; Include the XML profile files - extract to temp
 Source: "8021x.xml"; DestDir: "{tmp}"; Flags: ignoreversion deleteafterinstall
 Source: "AESFMA.xml"; DestDir: "{tmp}"; Flags: ignoreversion deleteafterinstall
 [Code]
 const
  // Network interface names by Windows version
  WIN7_WIRED = 'Local Area Connection';
  WIN7_WIRELESS = 'Wireless Network Connection';
  WIN10_WIRED = 'Ethernet';
  WIN10_WIRELESS = 'Wi-Fi';
  // Network types
  NET_WIRED = 1;
  NET_WIRELESS = 2;
  NET_UNKNOWN = 0;
 var
  ProgressPage: TOutputProgressWizardPage;
  ResultsMemo: TNewMemo;
  LogMessages: String;
 // ============================================================================
 // LOGGING FUNCTIONS
 // ============================================================================
 procedure LogMsg(const Msg: String);
 begin
  LogMessages := LogMessages + Msg + #13#10;
  Log(Msg);
 end;
 // ============================================================================
 // UTILITY FUNCTIONS
 // ============================================================================
 function IsWindows10OrLater: Boolean;
 var
  Version: TWindowsVersion;
 begin
  GetWindowsVersionEx(Version);
  Result := (Version.Major >= 10);
 end;
 function GetWiredInterfaceName: String;
 begin
  if IsWindows10OrLater then
    Result := WIN10_WIRED
  else
    Result := WIN7_WIRED;
 end;
 function GetWirelessInterfaceName: String;
 begin
  if IsWindows10OrLater then
    Result := WIN10_WIRELESS
  else
    Result := WIN7_WIRELESS;
 end;
 // Execute a command and return the exit code
 function ExecCmd(const Executable, Params: String): Integer;
 var
  ResultCode: Integer;
 begin
  LogMsg('Executing: ' + Executable + ' ' + Params);
  if Exec(Executable, Params, '', SW_HIDE, ewWaitUntilTerminated, ResultCode) then
    Result := ResultCode
  else
    Result := -1;
  LogMsg('  Result: ' + IntToStr(Result));
 end;
 // Execute a command via cmd.exe
 function ExecShell(const Command: String): Integer;
 begin
  Result := ExecCmd('cmd.exe', '/c ' + Command);
 end;
 // Execute netsh command
 function ExecNetsh(const Params: String): Integer;
 begin
  Result := ExecCmd('netsh.exe', Params);
 end;
 // Execute sc command for service control
 function ExecSC(const Params: String): Integer;
 begin
  Result := ExecCmd('sc.exe', Params);
 end;
 // Execute net command
 function ExecNet(const Params: String): Integer;
 begin
  Result := ExecCmd('net.exe', Params);
 end;
 // Check if a network interface exists and is connected
 function IsInterfaceConnected(const InterfaceName: String; IsWireless: Boolean): Boolean;
 var
  TempFile: String;
  OutputLines: TArrayOfString;
  I: Integer;
  Line: String;
  ResultCode: Integer;
 begin
  Result := False;
  TempFile := ExpandConstant('{tmp}\netcheck_') + IntToStr(Random(99999)) + '.txt';
  if IsWireless then
    Exec('cmd.exe', '/c netsh wlan show interfaces > "' + TempFile + '" 2>&1', '', SW_HIDE, ewWaitUntilTerminated, ResultCode)
  else
    Exec('cmd.exe', '/c netsh lan show interfaces > "' + TempFile + '" 2>&1', '', SW_HIDE, ewWaitUntilTerminated, ResultCode);
  if FileExists(TempFile) then
  begin
    if LoadStringsFromFile(TempFile, OutputLines) then
    begin
      for I := 0 to GetArrayLength(OutputLines) - 1 do
      begin
        Line := OutputLines[I];
        // Check for interface name and connected state
        if (Pos(InterfaceName, Line) > 0) then
        begin
          Result := True;
          Break;
        end;
        // Also check for "State" line showing "connected"
        if (Pos('connected', LowerCase(Line)) > 0) and (Pos('disconnected', LowerCase(Line)) = 0) then
        begin
          Result := True;
        end;
      end;
    end;
    DeleteFile(TempFile);
  end;
 end;
 // Detect which network type is currently active
 function DetectActiveNetwork: Integer;
 var
  WiredInterface, WirelessInterface: String;
 begin
  Result := NET_UNKNOWN;
  WiredInterface := GetWiredInterfaceName;
  WirelessInterface := GetWirelessInterfaceName;
  LogMsg('Detecting active network interface...');
  LogMsg('  Wired interface name: ' + WiredInterface);
  LogMsg('  Wireless interface name: ' + WirelessInterface);
  // Check wired first (preferred)
  if IsInterfaceConnected(WiredInterface, False) then
  begin
    LogMsg('  Active network: WIRED');
    Result := NET_WIRED;
  end
  else if IsInterfaceConnected(WirelessInterface, True) then
  begin
    LogMsg('  Active network: WIRELESS');
    Result := NET_WIRELESS;
  end
  else
  begin
    // Default to wired if can't detect
    LogMsg('  Could not detect active network, defaulting to WIRED');
    Result := NET_WIRED;
  end;
 end;
 // ============================================================================
 // SERVICE MANAGEMENT
 // ============================================================================
 procedure StopService(const ServiceName: String);
 begin
  LogMsg('Stopping service: ' + ServiceName);
  ExecNet('stop "' + ServiceName + '"');
 end;
 procedure StartService(const ServiceName: String);
 begin
  LogMsg('Starting service: ' + ServiceName);
  ExecNet('start "' + ServiceName + '"');
 end;
 procedure SetServiceAutoStart(const ServiceName: String);
 begin
  LogMsg('Setting service to auto-start: ' + ServiceName);
  ExecSC('config ' + ServiceName + ' start= auto');
 end;
 // ============================================================================
 // NETWORK CONFIGURATION
 // ============================================================================
 function ConfigureWiredNetwork: Boolean;
 var
  InterfaceName, ProfilePath: String;
 begin
  Result := True;
  InterfaceName := GetWiredInterfaceName;
  ProfilePath := ExpandConstant('{tmp}\8021x.xml');
  LogMsg('');
  LogMsg('=== Configuring Wired Network ===');
  LogMsg('Interface: ' + InterfaceName);
  LogMsg('Profile: ' + ProfilePath);
  // Enable and start Wired AutoConfig service
  SetServiceAutoStart('dot3svc');
  StartService('Wired AutoConfig');
  // Small delay for service to start
  Sleep(1000);
  // Import 802.1x profile to wired interface
  LogMsg('Importing 802.1x profile...');
  if ExecNetsh('lan add profile filename="' + ProfilePath + '" interface="' + InterfaceName + '"') <> 0 then
  begin
    // Try without interface specification as fallback
    LogMsg('Retrying without interface specification...');
    ExecNetsh('lan add profile filename="' + ProfilePath + '"');
  end;
  LogMsg('Wired network configuration complete.');
 end;
 function ConfigureWirelessNetwork: Boolean;
 var
  InterfaceName, ProfilePath: String;
 begin
  Result := True;
  InterfaceName := GetWirelessInterfaceName;
  ProfilePath := ExpandConstant('{tmp}\AESFMA.xml');
  LogMsg('');
  LogMsg('=== Configuring Wireless Network ===');
  LogMsg('Interface: ' + InterfaceName);
  LogMsg('Profile: ' + ProfilePath);
  // Enable and start WLAN AutoConfig service
  SetServiceAutoStart('Wlansvc');
  StartService('WLAN AutoConfig');
  // Small delay for service to start
  Sleep(1000);
  // Import AESFMA profile to wireless interface
  LogMsg('Importing AESFMA profile...');
  if ExecNetsh('wlan add profile filename="' + ProfilePath + '" interface="' + InterfaceName + '"') <> 0 then
  begin
    // Try without interface specification as fallback
    LogMsg('Retrying without interface specification...');
    ExecNetsh('wlan add profile filename="' + ProfilePath + '"');
  end;
  LogMsg('Wireless network configuration complete.');
 end;
 procedure ReconnectNetwork(NetworkType: Integer);
 var
  WiredInterface, WirelessInterface: String;
 begin
  WiredInterface := GetWiredInterfaceName;
  WirelessInterface := GetWirelessInterfaceName;
  LogMsg('');
  LogMsg('=== Reconnecting Network ===');
  if NetworkType = NET_WIRED then
  begin
    LogMsg('Reconnecting wired interface...');
    ExecNetsh('lan reconnect interface="' + WiredInterface + '"');
  end
  else if NetworkType = NET_WIRELESS then
  begin
    LogMsg('Connecting to AESFMA wireless network...');
    ExecNetsh('wlan connect name=AESFMA ssid=AESFMA interface="' + WirelessInterface + '"');
  end;
 end;
 // ============================================================================
 // MAIN CONFIGURATION PROCEDURE
 // ============================================================================
 function PerformConfiguration: Boolean;
 var
  ActiveNetwork: Integer;
  WindowsVersion: String;
 begin
  Result := True;
  LogMessages := '';
  // Log Windows version
  if IsWindows10OrLater then
    WindowsVersion := 'Windows 10/11'
  else
    WindowsVersion := 'Windows 7/8';
  LogMsg('Machine Authentication 3.0 Configuration');
  LogMsg('========================================');
  LogMsg('Windows Version: ' + WindowsVersion);
  LogMsg('');
  // Stop NetworkAdapterManager if it exists (may not exist on all machines)
  LogMsg('Stopping NetworkAdapterManager (if present)...');
  StopService('NetworkAdapterManager');
  // Detect active network
  ActiveNetwork := DetectActiveNetwork;
  // Configure wired network
  ProgressPage.SetText('Configuring wired network...', '');
  ProgressPage.SetProgress(1, 5);
  ConfigureWiredNetwork;
  // Configure wireless network
  ProgressPage.SetText('Configuring wireless network...', '');
  ProgressPage.SetProgress(2, 5);
  ConfigureWirelessNetwork;
  // Reconnect active network
  ProgressPage.SetText('Reconnecting network...', '');
  ProgressPage.SetProgress(3, 5);
  ReconnectNetwork(ActiveNetwork);
  // Start NetworkAdapterManager if it was stopped
  LogMsg('');
  LogMsg('Starting NetworkAdapterManager (if present)...');
  StartService('NetworkAdapterManager');
  // Wait for network to stabilize
  ProgressPage.SetText('Waiting for network to stabilize...', '');
  ProgressPage.SetProgress(4, 5);
  LogMsg('');
  LogMsg('Waiting 10 seconds for network to stabilize...');
  Sleep(10000);
  ProgressPage.SetProgress(5, 5);
  LogMsg('');
  LogMsg('========================================');
  LogMsg('Configuration complete!');
  LogMsg('');
  LogMsg('The machine should now have access to the Machine VLAN.');
  LogMsg('Test vault access to confirm connectivity.');
 end;
 // ============================================================================
 // WIZARD EVENTS
 // ============================================================================
 procedure InitializeWizard;
 begin
  // Create progress page
  ProgressPage := CreateOutputProgressPage('Configuring Network',
    'Please wait while Machine Authentication 3.0 is configured...');
 end;
 function InitializeSetup: Boolean;
 begin
  Result := True;
  // Verify admin privileges
  if not IsAdmin then
  begin
    MsgBox('This installer requires administrator privileges.' + #13#10 +
           'Please right-click and select "Run as administrator".',
           mbError, MB_OK);
    Result := False;
  end;
 end;
 procedure CurStepChanged(CurStep: TSetupStep);
 var
  ResultForm: TSetupForm;
  Memo: TNewMemo;
  OKButton: TNewButton;
 begin
  if CurStep = ssPostInstall then
  begin
    // Show progress page and perform configuration
    ProgressPage.Show;
    try
      PerformConfiguration;
    finally
      ProgressPage.Hide;
    end;
    // Show results in non-silent mode
    if not WizardSilent then
    begin
      ResultForm := CreateCustomForm;
      ResultForm.Caption := 'Configuration Results';
      ResultForm.ClientWidth := 600;
      ResultForm.ClientHeight := 450;
      ResultForm.Position := poScreenCenter;
      Memo := TNewMemo.Create(ResultForm);
      Memo.Parent := ResultForm;
      Memo.Left := 10;
      Memo.Top := 10;
      Memo.Width := ResultForm.ClientWidth - 20;
      Memo.Height := ResultForm.ClientHeight - 60;
      Memo.ScrollBars := ssVertical;
      Memo.ReadOnly := True;
      Memo.Text := LogMessages;
      Memo.Font.Name := 'Consolas';
      Memo.Font.Size := 9;
      OKButton := TNewButton.Create(ResultForm);
      OKButton.Parent := ResultForm;
      OKButton.Caption := 'OK';
      OKButton.Width := 80;
      OKButton.Height := 30;
      OKButton.Left := (ResultForm.ClientWidth - OKButton.Width) div 2;
      OKButton.Top := ResultForm.ClientHeight - 45;
      OKButton.ModalResult := mrOK;
      OKButton.Default := True;
      ResultForm.ActiveControl := OKButton;
      ResultForm.ShowModal;
      ResultForm.Free;
    end;
  end;
 end;
 function UpdateReadyMemo(Space, NewLine, MemoUserInfoInfo, MemoDirInfo, MemoTypeInfo,
  MemoComponentsInfo, MemoGroupInfo, MemoTasksInfo: String): String;
 var
  WinVer, WiredInt, WirelessInt: String;
 begin
  if IsWindows10OrLater then
    WinVer := 'Windows 10/11'
  else
    WinVer := 'Windows 7/8';
  WiredInt := GetWiredInterfaceName;
  WirelessInt := GetWirelessInterfaceName;
  Result := 'Machine Authentication 3.0 Configuration' + NewLine +
            NewLine +
            'The following will be configured:' + NewLine +
            NewLine +
            Space + 'Windows Version: ' + WinVer + NewLine +
            Space + 'Wired Interface: ' + WiredInt + NewLine +
            Space + 'Wireless Interface: ' + WirelessInt + NewLine +
            NewLine +
            'Actions:' + NewLine +
            Space + '1. Enable Wired AutoConfig service (dot3svc)' + NewLine +
            Space + '2. Import 802.1x profile for wired authentication' + NewLine +
            Space + '3. Enable WLAN AutoConfig service (Wlansvc)' + NewLine +
            Space + '4. Import AESFMA profile for wireless authentication' + NewLine +
            Space + '5. Reconnect active network interface' + NewLine +
            NewLine +
            'Note: Network will be briefly interrupted during configuration.';
 end;
--- a/MachineAuth/README.md
+++ b/MachineAuth/README.md
@@ -0,0 +1,171 @@
 # Machine Authentication 3.0
 Configures shop floor PCs for 802.1x/ISE Machine VLAN connectivity with support for both wired and wireless networks.
 ## Overview
 This installer automates the configuration of 802.1x network authentication for GE Aerospace shop floor machines, enabling secure access to the Machine VLAN without requiring user credentials.
 ## What It Configures
 | Network Type | Authentication | Server |
 |--------------|----------------|--------|
 | Wired | 802.1x PEAP/MS-CHAPv2 | Corporate Holdings RADIUS |
 | Wireless | 802.1x EAP-TLS (certificate) | Aerospace FreeRADIUS |
 ## Features
 - **Native Inno Setup Implementation** - All logic in Pascal script, no external batch files
 - **Silent Installation Support** - Full automation for deployment tools
 - **Windows 7/10/11 Support** - Auto-detects OS and uses appropriate interface names
 - **Automatic Network Detection** - Identifies active interface (wired or wireless)
 - **Detailed Logging** - Comprehensive log output for troubleshooting
 ## Usage
 ### Interactive Installation
 1. Run `MachineAuthSetup.exe` as Administrator
 2. Review the configuration summary
 3. Click Install
 4. View results and verify connectivity
 ### Silent Installation
 ```batch
 MachineAuthSetup.exe /VERYSILENT /SUPPRESSMSGBOXES
 ```
 With logging:
 ```batch
 MachineAuthSetup.exe /VERYSILENT /SUPPRESSMSGBOXES /LOG="C:\ma3_install.log"
 ```
 ## Configuration Details
 ### Wired Network (8021x.xml)
 - **EAP Type:** 25 (PEAP)
 - **Inner Method:** MS-CHAPv2 (Type 26)
 - **Auth Mode:** Machine
 - **Credentials:** Windows logon credentials
 - **Service:** dot3svc (Wired AutoConfig)
 ### Wireless Network (AESFMA.xml)
 - **SSID:** AESFMA
 - **Security:** WPA2-Enterprise, AES
 - **EAP Type:** 13 (EAP-TLS)
 - **Auth Mode:** Machine (certificate-based)
 - **Service:** Wlansvc (WLAN AutoConfig)
 ## Interface Names
 | Windows Version | Wired Interface | Wireless Interface |
 |-----------------|-----------------|-------------------|
 | Windows 7/8 | Local Area Connection | Wireless Network Connection |
 | Windows 10/11 | Ethernet | Wi-Fi |
 ## Installation Steps
 1. Stop NetworkAdapterManager service (if present)
 2. Enable and start Wired AutoConfig (dot3svc)
 3. Import 802.1x profile to wired interface
 4. Enable and start WLAN AutoConfig (Wlansvc)
 5. Import AESFMA profile to wireless interface
 6. Reconnect active network interface
 7. Start NetworkAdapterManager service
 8. Wait 10 seconds for network stabilization
 ## Requirements
 - Windows 7, 8, 10, or 11
 - Administrator privileges
 - SSL certificate for FreeRADIUS (pre-installed on managed machines)
 - Standard network interface naming conventions
 ## Files
 ```
 MachineAuth/
 ├── MachineAuth.iss      # Inno Setup script
 ├── 8021x.xml            # Wired 802.1x profile
 ├── AESFMA.xml           # Wireless AESFMA profile
 ├── gea-logo.ico         # Setup icon
 ├── banner.bmp           # Wizard banner
 ├── banner-sm.bmp        # Wizard small image
 └── README.md            # This file
 ```
 ## Legacy Files (Not Required)
 These files are from the original batch-based installer and are not used by the Inno Setup version:
 - `MA3NetworkConfigv4.bat` - Original batch script
 - `ge_runasuser.exe` - Run-as-user utility
 - `RebootDelay.exe` - Reboot delay utility
 - `$PLUGINSDIR/` - NSIS plugin remnants
 ## Troubleshooting
 ### "Requires administrator privileges"
 Right-click the installer and select "Run as administrator"
 ### Network doesn't reconnect after configuration
 1. Manually disconnect and reconnect the network adapter
 2. Check Windows Services that dot3svc and/or Wlansvc are running
 3. Verify the machine has the required certificates
 ### AESFMA wireless doesn't connect
 - Verify the FreeRADIUS SSL certificate is installed
 - Check that the machine is in the correct AD group
 - Ensure the wireless adapter supports WPA2-Enterprise
 ### Wired 802.1x authentication fails
 - Verify the machine account is in the correct AD group
 - Check that the switch port is configured for 802.1x
 - Review the RADIUS server logs for authentication errors
 ### Check installed profiles
 Wired profiles:
 ```batch
 netsh lan show profiles
 ```
 Wireless profiles:
 ```batch
 netsh wlan show profiles
 ```
 ### Remove and reinstall profiles
 Remove wired profile:
 ```batch
 netsh lan delete profile interface="Ethernet"
 ```
 Remove wireless profile:
 ```batch
 netsh wlan delete profile name="AESFMA"
 ```
 Then run the installer again.
 ## Building
 1. Install [Inno Setup 6.x](https://jrsoftware.org/isdl.php)
 2. Open `MachineAuth.iss`
 3. Compile (F9)
 4. Output: `Output/MachineAuthSetup.exe`
 ## Technical Notes
 - No reboot required
 - Brief network interruption during configuration (~10-15 seconds)
 - Safe to run multiple times
 - Does not remove existing profiles (adds/updates)
 ## Author
 WJDT / GE Aerospace
--- a/MachineAuth/READMENetwork.txt
+++ b/MachineAuth/READMENetwork.txt
@@ -0,0 +1,33 @@
 Configure a Shop Floor Machine's network adapters for 802.1x/ISE
 -----------------------------------------------------------------
 This file can be run on either Windows 7 or Windows 10 Machines - SFLD, MCE, or Business Imaged.
 This package creates/configures wired and wireless interfaces for 802.1x.
 The wired network will be configured on the endpoint to use Corporate Holdings RADIUS servers.
 The wireless network will be configured to use the new Aerospace FreeRADIUS servers.
 This package will work on Legacy LOGON machines.
 This package works under the following assumptions:
 1) The PC is either Win7 or Win10
 2) The default wired interface is named "Local Network Connection" (Win7) or "Ethernet" (Win10)
 3) The default wireless interface is named "Wireless Network Connection" (Win7) or "Wi-Fi" (Win10)
 4) The machine has the SSL certificate for FreeRADIUS authentication. This is required for AAA
 Execution
 ---------
 1) log in as admin
 2) extract files to C:\Windows\Options\Packages\GEAerospace_MA_3x4_V01\
 3) open command prompt with admin privilege
 4) change directory to C:\Windows\Options\Packages\AutomatedMigrationTool\
 5) execute file MA3NetworkConfigv4.exe
 > Machine will authorize to wired or wireless Machine VLAN without needing a reboot.
 > Machine will change IP addresses after running this package.
 File list:
 - READMENetwork.txt
 - MA3NetworkConfig4.bat
 - 8021x.xml
 - AESFMA.xml
--- a/MachineAuth/banner-sm.bmp
+++ b/MachineAuth/banner-sm.bmp
--- a/MachineAuth/banner.bmp
+++ b/MachineAuth/banner.bmp
--- a/MachineAuth/gea-logo.ico
+++ b/MachineAuth/gea-logo.ico
--- a/README.md
+++ b/README.md
@@ -10,6 +10,7 @@ Collection of Inno Setup installer packages for GE Aerospace manufacturing tools
 | [HIDCardPrinter](HIDCardPrinter/) | HID FARGO card printer driver installer | [README](HIDCardPrinter/README.md) |
 | [HPOfflineInstaller](HPOfflineInstaller/) | HP Universal Print Driver offline installer | [README](HPOfflineInstaller/README.md) |
 | [JT2GO](JT2GO/) | Siemens JT2Go installer with prerequisite checking | [README](JT2GO/README.md) |
 | [MachineAuth](MachineAuth/) | 802.1x Machine Authentication 3.0 network configuration | [README](MachineAuth/README.md) |
 | [MappedDrive](MappedDrive/) | Network drive mapping tool | [README](MappedDrive/README.md) |
 | [NetworkDriveManager](NetworkDriveManager/) | Advanced network drive management with migration | [README](NetworkDriveManager/README.md) |
 | [PrinterInstaller](PrinterInstaller/) | Network printer installer with ShopDB integration | [README](PrinterInstaller/README.md) |
@@ -33,8 +34,11 @@ Collection of Inno Setup installer packages for GE Aerospace manufacturing tools
 - **JT2GO** - Siemens JT2Go 3D CAD viewer with .NET/VC++ prerequisites
 - **ShopfloorConnect** - Teamcenter MTC Service for shop floor integration
-### Utilities
+### Network Configuration
 - **MachineAuth** - 802.1x Machine Authentication 3.0 for Machine VLAN
 - **BlueSSOFix** - WiFi authentication repair for Blue SSO network
 ### Utilities
 - **Template** - Starting point for creating new Inno Setup projects
 ## Requirements
@@ -85,6 +89,7 @@ inno-installers/
 ├── HIDCardPrinter/       # Card printer drivers
 ├── HPOfflineInstaller/   # HP printer drivers
 ├── JT2GO/                # CAD viewer installer
 ├── MachineAuth/          # 802.1x network configuration
 ├── MappedDrive/          # Drive mapping tool
 ├── NetworkDriveManager/  # Advanced drive management
 ├── PrinterInstaller/     # Network printer installer