topic I don't know much about NPS, in Network Access Control

Wired 802.1x using EAP-TLS machine certificates and Microsoft NPS

noisey_uk — Mon, 11 Mar 2019 06:41:39 GMT

I'm trying to get this scenario to work, having already used autoenrollment to deploy machine certificates. However, 802.1x fails with NPS event viewer showing the following:

User:
Security ID: TESTCOMPANY\TESTPC$
Account Name: host/TESTPC.TESTCOMPANY.local
Account Domain: TESTCOMPANY
Fully Qualified Account Name: TESTCOMPANY\TESTPC$

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: <SANITIZED - MAC ADDRESS>
Calling Station Identifier: <SANITIZED - MAC ADDRESS>

NAS:
NAS IPv4 Address: <SANITIZED - SWITCH IP ADDRESS>
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 50118

RADIUS Client:
Client Friendly Name: <SANITIZED - SWITCH NAME>
Client IP Address: <SANITIZED - SWITCH IP ADDRESS>

Authentication Details:
Connection Request Policy Name: DOT1X-TEST-CP
Network Policy Name: DOT1X-TEST-NP
Authentication Provider: Windows
Authentication Server: DC01.TESTCOMPANY.local
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

If I've stipulated that the NIC uses Computer Authentication, shouldn't that appear under Client Machine instead of User? An AD account definitely exists for TESTPC.TESTCOMPANY.local. Should the host/ be appearing under Account Name?

The authenticating switch is a 2960X running IOS 15.

Any ideas?

I don't know much about NPS,

jan.nielsen — Fri, 22 Apr 2016 12:49:49 GMT

I don't know much about NPS, but a machine account, is basically also a user account, just for the machine, it has a password and a username just like a user account, so i think your good. The host/ prefix is how windows indicates that the credentials are from a machine, and not a user.

The switch has no involvement in how your supplicant is authenticating, it just forwards your eap packets via radius to the NPS.

Thanks for the confirmation

noisey_uk — Sat, 30 Apr 2016 10:30:09 GMT

Thanks for the confirmation re. host/ Jan

I just tried Windows 10 and

noisey_uk — Sat, 30 Apr 2016 10:31:33 GMT

I just tried Windows 10 and it works perfectly. Are there known issues with Windows 7, 802.1x, and NPS?

I have win7 over EAP-TLS with

Nadav — Sat, 30 Apr 2016 11:08:00 GMT

I have win7 over EAP-TLS with NPS. Make sure the security patches are up to date and that the computer has a certificate that is issued by the same CA as your DC.

Take a look at this:

https://supportforums.cisco.com/document/128096/configure-wireless-clients-running-windows-7-eap-tls-authentication-nps-radius