04-20-2016 07:04 AM - edited 03-10-2019 11:41 PM
I'm trying to get this scenario to work, having already used autoenrollment to deploy machine certificates. However, 802.1x fails with NPS event viewer showing the following:
User:
Security ID: TESTCOMPANY\TESTPC$
Account Name: host/TESTPC.TESTCOMPANY.local
Account Domain: TESTCOMPANY
Fully Qualified Account Name: TESTCOMPANY\TESTPC$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: <SANITIZED - MAC ADDRESS>
Calling Station Identifier: <SANITIZED - MAC ADDRESS>
NAS:
NAS IPv4 Address: <SANITIZED - SWITCH IP ADDRESS>
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 50118
RADIUS Client:
Client Friendly Name: <SANITIZED - SWITCH NAME>
Client IP Address: <SANITIZED - SWITCH IP ADDRESS>
Authentication Details:
Connection Request Policy Name: DOT1X-TEST-CP
Network Policy Name: DOT1X-TEST-NP
Authentication Provider: Windows
Authentication Server: DC01.TESTCOMPANY.local
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
If I've stipulated that the NIC uses Computer Authentication, shouldn't that appear under Client Machine instead of User? An AD account definitely exists for TESTPC.TESTCOMPANY.local. Should the host/ be appearing under Account Name?
The authenticating switch is a 2960X running IOS 15.
Any ideas?
04-22-2016 05:49 AM
I don't know much about NPS, but a machine account, is basically also a user account, just for the machine, it has a password and a username just like a user account, so i think your good. The host/ prefix is how windows indicates that the credentials are from a machine, and not a user.
The switch has no involvement in how your supplicant is authenticating, it just forwards your eap packets via radius to the NPS.
04-30-2016 03:30 AM
Thanks for the confirmation re. host/ Jan
04-30-2016 03:31 AM
I just tried Windows 10 and it works perfectly. Are there known issues with Windows 7, 802.1x, and NPS?
04-30-2016 04:08 AM
I have win7 over EAP-TLS with NPS. Make sure the security patches are up to date and that the computer has a certificate that is issued by the same CA as your DC.
Take a look at this:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: