cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3424
Views
3
Helpful
4
Replies
noisey_uk
Beginner

Wired 802.1x using EAP-TLS machine certificates and Microsoft NPS

I'm trying to get this scenario to work, having already used autoenrollment to deploy machine certificates. However, 802.1x fails with NPS event viewer showing the following:

User:
Security ID: TESTCOMPANY\TESTPC$
Account Name: host/TESTPC.TESTCOMPANY.local
Account Domain: TESTCOMPANY
Fully Qualified Account Name: TESTCOMPANY\TESTPC$

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: <SANITIZED - MAC ADDRESS>
Calling Station Identifier: <SANITIZED - MAC ADDRESS>

NAS:
NAS IPv4 Address: <SANITIZED - SWITCH IP ADDRESS>
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 50118

RADIUS Client:
Client Friendly Name: <SANITIZED - SWITCH NAME>
Client IP Address: <SANITIZED - SWITCH IP ADDRESS>

Authentication Details:
Connection Request Policy Name: DOT1X-TEST-CP
Network Policy Name: DOT1X-TEST-NP
Authentication Provider: Windows
Authentication Server: DC01.TESTCOMPANY.local
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

If I've stipulated that the NIC uses Computer Authentication, shouldn't that appear under Client Machine instead of User? An AD account definitely exists for TESTPC.TESTCOMPANY.local. Should the host/ be appearing under Account Name?

The authenticating switch is a 2960X running IOS 15.

Any ideas?

4 REPLIES 4
jan.nielsen
Rising star

I don't know much about NPS, but a machine account, is basically also a user account, just for the machine, it has a password and a username just like a user account, so i think your good. The host/ prefix is how windows indicates that the credentials are from a machine, and not a user.

The switch has no involvement in how your supplicant is authenticating, it just forwards your eap packets via radius to the NPS.

Thanks for the confirmation re. host/ Jan

noisey_uk
Beginner

I just tried Windows 10 and it works perfectly. Are there known issues with Windows 7, 802.1x, and NPS?

I have win7 over EAP-TLS with NPS. Make sure the security patches are up to date and that the computer has a certificate that is issued by the same CA as your DC.

Take a look at this:

https://supportforums.cisco.com/document/128096/configure-wireless-clients-running-windows-7-eap-tls-authentication-nps-radius

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube