cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

584
Views
5
Helpful
1
Replies
MS-JK
Beginner

WIndows 10 adding "host/" to the username during eap-tls and or peap

Standalone Windows 10 laptop using native supplicant and ISE 2.2. Setting up machine type eap-tls authentication for windows. How can you get rid of the "host/" that is prepended to the identity when trying to authenticate with ISE? Where is that "Host/" coming from (not on the CN cert nor as hostname).

 

Second issue - why would client reject ISE's local cert when on the client the "verify the server's identity by validating cert' is NOT selected.

 

Thanks for input!

1 REPLY 1
Arne Bier
VIP Advisor

The prefix of host/ comes from the fact that machine authentication is being done. The AD joined machine is authenticating because the machine booted up, or user logged out. If you don't want to do machine auth, then change the supplicant to do user auth only. But then the machine won't be auth'd if no user is logged in.

If you want to strip the "host/" prefix before sending the request to AD, then you can perform this manipulation in the ISE External identities menu option:

rewrite.png

 

 

Second issue: The client would reject it if the ISE EAP certificate has expired or is invalid (wrong EKU for example). You'd need to give more details about the ISE EAP certificate that you are using.

 

Content for Community-Ad