Security

Reply
MVP
Posts: 520
Registered: ‎05-11-2011

Windows using domain\machinename$ during Computer Authentication

Hello!

 

I'm in a situation I've not seen before, but I'm sure someone else has so I'm hoping for some insight from the crowd here.

Working on a standard 802.1x setup using Clearpass with Windows 10 computers, and I setup the clients with Authentication mode: "User or computer authentication".

 

So normally I see host/fqdn when Windows Computers do their Computer Authentication, but in this case it's sending domain\machinename$. This results in a Reject from AD and a failed [Machine Authentication].

 

If I set the auth mode to only "Computer authentication" it always sends host/fqdn and all is well.

 

Customer says that in the previous 802.1x they tried several years ago, they had the same problem. That was with the same AD/GPO's etc, but Win 7 clients.

 

So - anyone else had this problem and found a way to fix this?


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 992
Registered: ‎04-13-2009

Re: Windows using domain\machinename$ during Computer Authentication

[ Edited ]

Hi John,

I've seen this before when using EAP-TLS for authentication. What are you using?

 

EDIT: Ahhh nevermind, probably EAP-PEAP as you're doing user and computer. 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 520
Registered: ‎05-11-2011

Re: Windows using domain\machinename$ during Computer Authentication

Hi James

Well - the client is setup to do EAP-PEAP and that is whats listed in access tracker as method. I'm using a service that accepts both eap-tls with ocsp and eap-peap.

.. John-Egil Solberg
@ a mobile device

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 520
Registered: ‎05-11-2011

Re: Windows using domain\machinename$ during Computer Authentication

*bump*

 

So is it my topic headline that is not catchy enough, or has none of all the thousands here seen anything other than host/computer.fqdn during "computer authentication"?

 

That said - I've read a ton of papers and documentation and I'm unable to reproduce the issue in my lab. 

 

domain\machinname$ is only used when the computer is setup with EAP-PEAP and authentication method = "user or computer authentication". In "Computer authentication" auth mode the correct host/machinname.fqdn is used and authentication works correctly.


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Contributor II
Posts: 53
Registered: ‎04-10-2012

Re: Windows using domain\machinename$ during Computer Authentication

[ Edited ]
jsolb wrote:

*bump*

 

So is it my topic headline that is not catchy enough, or has none of all the thousands here seen anything other than host/computer.fqdn during "computer authentication"?

 

That said - I've read a ton of papers and documentation and I'm unable to reproduce the issue in my lab. 

 

domain\machinname$ is only used when the computer is setup with EAP-PEAP and authentication method = "user or computer authentication". In "Computer authentication" auth mode the correct host/machinname.fqdn is used and authentication works correctly.

Hi John,

Not sure if you're still chasing this problem. We just started doing machine authentication for a small building and are running into this problem now today for some individuals. Something that stuck in my mind shortly towards end of my shift - what build number of Windows 10 were you running into - and did it differ from you lab setup - I saw this on Version 1607 [Build 14393] (My recently updated work and test laptop) and Version 1703 [Build 15063] (affected population version ran in to) - and I hope to have the original version I tested this again shortly Version 1511 [Build 10586] - where I didn't have this problem - Enterprise Version Info - https://technet.microsoft.com/en-us/windows/release-info.aspx

Guru Elite
Posts: 8,648
Registered: ‎09-08-2010

Re: Windows using domain\machinename$ during Computer Authentication

Are you using PEAPv0/EAP-MSCHAPv2 or EAP-TLS?

Is the device configured for user, computer or computer + user?

Are you using the native Windows supplicant?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 53
Registered: ‎04-10-2012

Re: Windows using domain\machinename$ during Computer Authentication

Hi Tim,

Are you using PEAPv0/EAP-MSCHAPv2 or EAP-TLS? PEAPv0/EAP-MSCHAPv2

Is the device configured for user, computer or computer + user? computer + user

Are you using the native Windows supplicant? Yes

Contributor II
Posts: 53
Registered: ‎04-10-2012

Re: Windows using domain\machinename$ during Computer Authentication


cbjohns wrote:

Hi Tim,

Are you using PEAPv0/EAP-MSCHAPv2 or EAP-TLS? PEAPv0/EAP-MSCHAPv2

Is the device configured for user, computer or computer + user? computer + user

Are you using the native Windows supplicant? Yes


Almost forgot one more important detail. The machine passes authentication with "host/FQDN" - and then almost immediately fails with "domain\machinename$" - so this could be a separate issue from OPs.

Contributor II
Posts: 53
Registered: ‎04-10-2012

Re: Windows using domain\machinename$ during Computer Authentication

Made some progress (ruled out Windows 10 versions) and happened to find a recent Aruba KB about this behavior - https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Machine-authentication-fails-when-ssid-profile-pushed-via-GPO/ta-p/290978 - not sure what causes it though and why for some clients. Still trying to do more analysis.

Search Airheads
Showing results for 
Search instead for 
Did you mean: