802.1x + Machine Authentication about ISE

wangbean60451 · ‎07-15-2022

Currently, domain users cannot automatically connect to 802.1x wireless. We have done a test here. The summary is as follows:

How can I solve it, when the domain computer restarts, it automatically connects to the wireless? I try to pass the machine authentication in the domain controller. But I found that the computer will not continue to send the user name authentication information to ISE, so I always see the machine authentication information in ISE, so I can't judge which domain account user is connected to the wireless.

Fault phenomenon:
1. The computer in the domain is restarted, and the Staff wireless connection cannot be automatically connected.
2. Add a domain computer, unlock the computer lock screen, and connect to Staff wireless normally

The failure analysis is as follows:
Problem 1: Add a domain computer, restart state, can not automatically connect to Staff wireless
We obtained through the packet capture analysis that when the computer is restarted, the computer is in the lock screen interface. At this time, Windows will automatically initiate an authentication request to ISE according to the configuration "user or computer authentication". Therefore, we can see the following request logs through ISE, including machine information and user information.
<Image 1>

By capturing packets, we can see
The user authentication information sent is: Domain.cn\DEVIN-PC$
The machine authentication information sent is: Host/Devin-PC.domain.cn
Neither of these two pieces of information is account information, so authentication fails.
<Image 2>

Question 2: Add a domain computer, unlock the computer lock screen, can connect to Staff wireless normally
Similarly, after unlocking the computer lock screen, click on the wireless normal connection, and the connected user information you see is Domain.cn\Ling information, which is AD domain account information, so the authentication is passed.
<Image 3>

ahollifield · ‎07-15-2022

This sounds like the Windows supplicant is configured for Machine authentication only and not User or Machine Authentication. Is the person logging into the machine using a local account or an Active Directory account?

Also if user authentication visibility is required, its best practice now to use TEAP instead of PEAP. TEAP can couple the machine authentication and the user authentication into a single EAP transaction (EAP Chaining) and is natively supported in Windows 10 2004+ and ISE 2.7+

wangbean60451 · ‎07-16-2022

In fact, user or computer authentication is configured on the computer. However, before unlocking the Windows computer, the wireless connection is not normal, and the PC sends ISE logs, which are similar to machine name information.
Only when I unlock my Windows PC and I click wireless Connect can I use my 802.1x information to authenticate.
Any good ideas?

Greg Gibbs · ‎07-17-2022

As @hslai and @ahollifield said, what you are describing is the expected behaviour when the supplicant is configured for 'User or Computer' authentication. A Windows PC has two distinct states; the Computer state and the User state. Prior to a user logging in or when a user logs out, Windows is in a Computer state. When a user logs in, Windows switches to the User state.
With the supplicant configured for 'User or Computer' auth, you need to authenticate the Computer when in the Computer state, and the user when in the User state.

Although it's an old document and focused mainly on Wired connections, see the following blog for more information. The same supplicant behaviour applies to Wireless.
Machine Authentication and User Authentication

You have not mentioned the authentication protocol you are using (PEAP, EAP-TLS, TEAP, etc), but if you want to use 'User or Computer' auth, you will need to ensure the same authentication method is configured properly for the Computer auth. With EAP-TLS (or PEAP/TEAP with inner EAP-TLS) for example, you would need to ensure the PC has a valid computer certificate and root chain in the Computer store.

hslai · ‎07-16-2022

Besides what ahollifield said, if no user has logged-in after the computer restarts, then it's expected the authentication requests sent based on the computer info. Normally, we would also grant some basic access for the computer access, in case a new domain user needs login on this .1X wireless network or the user credentials has changed.