cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4322
Views
3
Helpful
4
Replies

Wired 802.1x using EAP-TLS machine certificates and Microsoft NPS

noisey_uk
Level 1
Level 1

I'm trying to get this scenario to work, having already used autoenrollment to deploy machine certificates. However, 802.1x fails with NPS event viewer showing the following:

User:
Security ID: TESTCOMPANY\TESTPC$
Account Name: host/TESTPC.TESTCOMPANY.local
Account Domain: TESTCOMPANY
Fully Qualified Account Name: TESTCOMPANY\TESTPC$

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: <SANITIZED - MAC ADDRESS>
Calling Station Identifier: <SANITIZED - MAC ADDRESS>

NAS:
NAS IPv4 Address: <SANITIZED - SWITCH IP ADDRESS>
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 50118

RADIUS Client:
Client Friendly Name: <SANITIZED - SWITCH NAME>
Client IP Address: <SANITIZED - SWITCH IP ADDRESS>

Authentication Details:
Connection Request Policy Name: DOT1X-TEST-CP
Network Policy Name: DOT1X-TEST-NP
Authentication Provider: Windows
Authentication Server: DC01.TESTCOMPANY.local
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

If I've stipulated that the NIC uses Computer Authentication, shouldn't that appear under Client Machine instead of User? An AD account definitely exists for TESTPC.TESTCOMPANY.local. Should the host/ be appearing under Account Name?

The authenticating switch is a 2960X running IOS 15.

Any ideas?

4 Replies 4

jan.nielsen
Level 7
Level 7

I don't know much about NPS, but a machine account, is basically also a user account, just for the machine, it has a password and a username just like a user account, so i think your good. The host/ prefix is how windows indicates that the credentials are from a machine, and not a user.

The switch has no involvement in how your supplicant is authenticating, it just forwards your eap packets via radius to the NPS.

Thanks for the confirmation re. host/ Jan

noisey_uk
Level 1
Level 1

I just tried Windows 10 and it works perfectly. Are there known issues with Windows 7, 802.1x, and NPS?

I have win7 over EAP-TLS with NPS. Make sure the security patches are up to date and that the computer has a certificate that is issued by the same CA as your DC.

Take a look at this:

https://supportforums.cisco.com/document/128096/configure-wireless-clients-running-windows-7-eap-tls-authentication-nps-radius

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: