Security

Reply
Occasional Contributor II

Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

So, I'm trying to configure both wired and wireless 802.1x machine authentication using CPPM against an AD backend.

 

For wired 802.1x, the built in Windows Supplicant supplies the username in the format of host/FQDN (for example, in our lab environment host/ITG-NB1ITG-0715.gba.geolba.ac.at). Which is expected and works.

 

However, for wireless 802.1x, the supplicant provides a username of NETBIOS-Short-Name\Hostname$ (lab: GBA\ITG-NB1ITG-0715$). Which is not expected and doesn't work either.

 

So the question is, why does the 802.1x supplicant behave differently when swithing from wired to wireless? Shouldn't the username for machine authentication always have the format of host/FQDN? Also, please see the attached screenshots for further details.

Occasional Contributor II

Re: Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

Both wired and wireless supplicants are configured identically, to do both machine (when pressing ctrl+alt+del) and user auth. User auth works for both wireless and wired 802.1x, only machine auth doesn't work for wireless.

Guru Elite

Re: Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

Which Windows 10 build? Is this consistent across different devices?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

Is the machine auto-connecting to the wireless SSID or are you manually bringing up the Wi-Fi dialog screen (on the login screen) and clicking Connect? I'm running into a similar situation as well and the behavior I've seen is when the supplicant is set to "User or Computer": If the machine auto-connects it will authenticate as the svcPrincipalName (host/fqdn) but if a user interacts with the GUI by pulling up the Wi-Fi dialog box on login screen - it authenticates as the samAccountName (domain/computer$).


#AirheadsMobile
Occasional Contributor II

Re: Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

@cbjohns this is exactly the problem I'm seeing

Occasional Contributor II

Re: Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

Occasional Contributor II

Re: Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

OK the link I posted above does solve my problem.

 

Can somebody explain to me why this is necessary at all?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: