cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10097
Views
23
Helpful
5
Replies

WIndows 10 adding "host/" to the username during eap-tls and or peap

MS-JK
Level 1
Level 1

Standalone Windows 10 laptop using native supplicant and ISE 2.2. Setting up machine type eap-tls authentication for windows. How can you get rid of the "host/" that is prepended to the identity when trying to authenticate with ISE? Where is that "Host/" coming from (not on the CN cert nor as hostname).

 

Second issue - why would client reject ISE's local cert when on the client the "verify the server's identity by validating cert' is NOT selected.

 

Thanks for input!

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

The prefix of host/ comes from the fact that machine authentication is being done. The AD joined machine is authenticating because the machine booted up, or user logged out. If you don't want to do machine auth, then change the supplicant to do user auth only. But then the machine won't be auth'd if no user is logged in.

If you want to strip the "host/" prefix before sending the request to AD, then you can perform this manipulation in the ISE External identities menu option:

rewrite.png

 

 

Second issue: The client would reject it if the ISE EAP certificate has expired or is invalid (wrong EKU for example). You'd need to give more details about the ISE EAP certificate that you are using.

 

View solution in original post

5 Replies 5

Arne Bier
VIP
VIP

The prefix of host/ comes from the fact that machine authentication is being done. The AD joined machine is authenticating because the machine booted up, or user logged out. If you don't want to do machine auth, then change the supplicant to do user auth only. But then the machine won't be auth'd if no user is logged in.

If you want to strip the "host/" prefix before sending the request to AD, then you can perform this manipulation in the ISE External identities menu option:

rewrite.png

 

 

Second issue: The client would reject it if the ISE EAP certificate has expired or is invalid (wrong EKU for example). You'd need to give more details about the ISE EAP certificate that you are using.

 

Hi

We enabled both machine AND user authentication on the supplicant but the ISE is authenticating only the Machine name.

When I go to Context visibility > endpoints to see logs, I see only the machine name on the attributes for the authenticated machine (it is like the the supplicant only sends one name : either the machine or username).

We want to keep both user and machine name authentication so we can use both on the authorization rules (username + machine names that have an antivirus installed).

Is there a way to do that without forcing only the supplicant to send usernames ?

Best regards

You would be better served to ask this as a new question since it has little to do with the original ask.

Hi Louey,

You can perform Machine+User authentication using EAP-Chaining on the Windows Native Supplicant. This can be achieved using the TEAP protocol.

Sharing the doc for reference : https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

falnaffar
Level 1
Level 1

the problem with EAP-Chaining it will causes problems to new users trying to login for the first time into their machines especially those working remotely and have their laptops imaged and send to their home addresses. they won't be able to login unless you break the eap-chain or uninstall anyconnect and redeploy it again after user login.