# Machine Authentication 3.0 (v3.4)

Configures shop floor PCs for 802.1x/ISE Machine VLAN connectivity with support for both wired and wireless networks.

## Overview

This installer automates the configuration of 802.1x network authentication for GE Aerospace shop floor machines, enabling secure access to the Machine VLAN without requiring user credentials.

## What It Configures

| Network Type | Authentication | Server |
|--------------|----------------|--------|
| Wired | 802.1x PEAP/MS-CHAPv2 | Corporate Holdings RADIUS |
| Wireless | 802.1x EAP-TLS (certificate) | Aerospace FreeRADIUS |

## Features

- **Native Inno Setup Implementation** - All logic in Pascal script, no external batch files
- **Silent Installation Support** - Full automation for deployment tools
- **Windows 7/10/11 Support** - Auto-detects OS and uses appropriate interface names
- **Automatic Network Detection** - Identifies active interface (wired or wireless)
- **Detailed Logging** - Comprehensive log output for troubleshooting

## Usage

### Interactive Installation

1. Run `MachineAuthSetup.exe` as Administrator
2. Review the configuration summary
3. Click Install
4. View results and verify connectivity

### Silent Installation

```batch
MachineAuthSetup.exe /VERYSILENT /SUPPRESSMSGBOXES
```

With logging:
```batch
MachineAuthSetup.exe /VERYSILENT /SUPPRESSMSGBOXES /LOG="C:\ma3_install.log"
```

## Configuration Details

### Wired Network (8021x.xml)

- **EAP Type:** 25 (PEAP)
- **Inner Method:** MS-CHAPv2 (Type 26)
- **Auth Mode:** Machine
- **Credentials:** Windows logon credentials
- **Service:** dot3svc (Wired AutoConfig)

### Wireless Network (AESFMA.xml)

- **SSID:** AESFMA
- **Security:** WPA2-Enterprise, AES
- **EAP Type:** 13 (EAP-TLS)
- **Auth Mode:** Machine (certificate-based)
- **Service:** Wlansvc (WLAN AutoConfig)

## Interface Names

| Windows Version | Wired Interface | Wireless Interface |
|-----------------|-----------------|-------------------|
| Windows 7/8 | Local Area Connection | Wireless Network Connection |
| Windows 10/11 | Ethernet | Wi-Fi |

## Installation Steps

1. Stop NetworkAdapterManager service (if present)
2. Enable and start Wired AutoConfig (dot3svc)
3. Import 802.1x profile to wired interface
4. Enable and start WLAN AutoConfig (Wlansvc)
5. Import AESFMA profile to wireless interface
6. Reconnect active network interface
7. Start NetworkAdapterManager service
8. Wait 10 seconds for network stabilization

## Requirements

- Windows 7, 8, 10, or 11
- Administrator privileges
- SSL certificate for FreeRADIUS (pre-installed on managed machines)
- Standard network interface naming conventions

## Files

```
MachineAuth/
├── MachineAuth.iss      # Inno Setup script
├── 8021x.xml            # Wired 802.1x profile
├── AESFMA.xml           # Wireless AESFMA profile
├── gea-logo.ico         # Setup icon
├── banner.bmp           # Wizard banner
├── banner-sm.bmp        # Wizard small image
└── README.md            # This file
```

## Legacy Files (Not Required)

These files are from the original batch-based installer and are not used by the Inno Setup version:

- `MA3NetworkConfigv4.bat` - Original batch script
- `ge_runasuser.exe` - Run-as-user utility
- `RebootDelay.exe` - Reboot delay utility
- `$PLUGINSDIR/` - NSIS plugin remnants

## Troubleshooting

### "Requires administrator privileges"
Right-click the installer and select "Run as administrator"

### Network doesn't reconnect after configuration
1. Manually disconnect and reconnect the network adapter
2. Check Windows Services that dot3svc and/or Wlansvc are running
3. Verify the machine has the required certificates

### AESFMA wireless doesn't connect
- Verify the FreeRADIUS SSL certificate is installed
- Check that the machine is in the correct AD group
- Ensure the wireless adapter supports WPA2-Enterprise

### Wired 802.1x authentication fails
- Verify the machine account is in the correct AD group
- Check that the switch port is configured for 802.1x
- Review the RADIUS server logs for authentication errors

### Check installed profiles

Wired profiles:
```batch
netsh lan show profiles
```

Wireless profiles:
```batch
netsh wlan show profiles
```

### Remove and reinstall profiles

Remove wired profile:
```batch
netsh lan delete profile interface="Ethernet"
```

Remove wireless profile:
```batch
netsh wlan delete profile name="AESFMA"
```

Then run the installer again.

## Building

1. Install [Inno Setup 6.x](https://jrsoftware.org/isdl.php)
2. Open `MachineAuth.iss`
3. Compile (F9)
4. Output: `Output/MachineAuthSetup_v3.4.exe`

## Technical Notes

- No reboot required
- Brief network interruption during configuration (~10-15 seconds)
- Safe to run multiple times
- Does not remove existing profiles (adds/updates)

## Author

WJDT / GE Aerospace