Security

Reply
MVP
Posts: 512
Registered: ‎05-11-2011

Windows using domain\machinename$ during Computer Authentication

Hello!

 

I'm in a situation I've not seen before, but I'm sure someone else has so I'm hoping for some insight from the crowd here.

Working on a standard 802.1x setup using Clearpass with Windows 10 computers, and I setup the clients with Authentication mode: "User or computer authentication".

 

So normally I see host/fqdn when Windows Computers do their Computer Authentication, but in this case it's sending domain\machinename$. This results in a Reject from AD and a failed [Machine Authentication].

 

If I set the auth mode to only "Computer authentication" it always sends host/fqdn and all is well.

 

Customer says that in the previous 802.1x they tried several years ago, they had the same problem. That was with the same AD/GPO's etc, but Win 7 clients.

 

So - anyone else had this problem and found a way to fix this?


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 952
Registered: ‎04-13-2009

Re: Windows using domain\machinename$ during Computer Authentication

[ Edited ]

Hi John,

I've seen this before when using EAP-TLS for authentication. What are you using?

 

EDIT: Ahhh nevermind, probably EAP-PEAP as you're doing user and computer. 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 512
Registered: ‎05-11-2011

Re: Windows using domain\machinename$ during Computer Authentication

Hi James

Well - the client is setup to do EAP-PEAP and that is whats listed in access tracker as method. I'm using a service that accepts both eap-tls with ocsp and eap-peap.

.. John-Egil Solberg
@ a mobile device

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 512
Registered: ‎05-11-2011

Re: Windows using domain\machinename$ during Computer Authentication

*bump*

 

So is it my topic headline that is not catchy enough, or has none of all the thousands here seen anything other than host/computer.fqdn during "computer authentication"?

 

That said - I've read a ton of papers and documentation and I'm unable to reproduce the issue in my lab. 

 

domain\machinname$ is only used when the computer is setup with EAP-PEAP and authentication method = "user or computer authentication". In "Computer authentication" auth mode the correct host/machinname.fqdn is used and authentication works correctly.


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: