Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4661
Views
21
Helpful
3
Replies

WIndows 10 adding "host/" to the username during eap-tls and or peap

Go to solution
MS-JK
Beginner
Beginner

‎11-17-2020 10:19 AM

Standalone Windows 10 laptop using native supplicant and ISE 2.2. Setting up machine type eap-tls authentication for windows. How can you get rid of the "host/" that is prepended to the identity when trying to authenticate with ISE? Where is that "Host/" coming from (not on the CN cert nor as hostname).

 

Second issue - why would client reject ISE's local cert when on the client the "verify the server's identity by validating cert' is NOT selected.

 

Thanks for input!

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

‎11-29-2020 08:03 PM

The prefix of host/ comes from the fact that machine authentication is being done. The AD joined machine is authenticating because the machine booted up, or user logged out. If you don't want to do machine auth, then change the supplicant to do user auth only. But then the machine won't be auth'd if no user is logged in.

If you want to strip the "host/" prefix before sending the request to AD, then you can perform this manipulation in the ISE External identities menu option:

rewrite.png

 

 

Second issue: The client would reject it if the ISE EAP certificate has expired or is invalid (wrong EKU for example). You'd need to give more details about the ISE EAP certificate that you are using.

 

View solution in original post

3 Replies 3

Go to solution
Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

‎11-29-2020 08:03 PM

The prefix of host/ comes from the fact that machine authentication is being done. The AD joined machine is authenticating because the machine booted up, or user logged out. If you don't want to do machine auth, then change the supplicant to do user auth only. But then the machine won't be auth'd if no user is logged in.

If you want to strip the "host/" prefix before sending the request to AD, then you can perform this manipulation in the ISE External identities menu option:

rewrite.png

 

 

Second issue: The client would reject it if the ISE EAP certificate has expired or is invalid (wrong EKU for example). You'd need to give more details about the ISE EAP certificate that you are using.

 

Go to solution
Louey
Beginner
Beginner
In response to Arne Bier

‎03-24-2023 07:51 AM

Hi

We enabled both machine AND user authentication on the supplicant but the ISE is authenticating only the Machine name.

When I go to Context visibility > endpoints to see logs, I see only the machine name on the attributes for the authenticated machine (it is like the the supplicant only sends one name : either the machine or username).

We want to keep both user and machine name authentication so we can use both on the authorization rules (username + machine names that have an antivirus installed).

Is there a way to do that without forcing only the supplicant to send usernames ?

Best regards

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to Louey

‎03-24-2023 09:58 AM

You would be better served to ask this as a new question since it has little to do with the original ask.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents