Security

Reply
MVP

Windows using domain\machinename$ during Computer Authentication

Hello!

 

I'm in a situation I've not seen before, but I'm sure someone else has so I'm hoping for some insight from the crowd here.

Working on a standard 802.1x setup using Clearpass with Windows 10 computers, and I setup the clients with Authentication mode: "User or computer authentication".

 

So normally I see host/fqdn when Windows Computers do their Computer Authentication, but in this case it's sending domain\machinename$. This results in a Reject from AD and a failed [Machine Authentication].

 

If I set the auth mode to only "Computer authentication" it always sends host/fqdn and all is well.

 

Customer says that in the previous 802.1x they tried several years ago, they had the same problem. That was with the same AD/GPO's etc, but Win 7 clients.

 

So - anyone else had this problem and found a way to fix this?


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!

Re: Windows using domain\machinename$ during Computer Authentication

Hi John,

I've seen this before when using EAP-TLS for authentication. What are you using?

 

EDIT: Ahhh nevermind, probably EAP-PEAP as you're doing user and computer. 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP

Re: Windows using domain\machinename$ during Computer Authentication

Hi James

Well - the client is setup to do EAP-PEAP and that is whats listed in access tracker as method. I'm using a service that accepts both eap-tls with ocsp and eap-peap.

.. John-Egil Solberg
@ a mobile device

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP

Re: Windows using domain\machinename$ during Computer Authentication

*bump*

 

So is it my topic headline that is not catchy enough, or has none of all the thousands here seen anything other than host/computer.fqdn during "computer authentication"?

 

That said - I've read a ton of papers and documentation and I'm unable to reproduce the issue in my lab. 

 

domain\machinname$ is only used when the computer is setup with EAP-PEAP and authentication method = "user or computer authentication". In "Computer authentication" auth mode the correct host/machinname.fqdn is used and authentication works correctly.


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Frequent Contributor I

Re: Windows using domain\machinename$ during Computer Authentication

jsolb wrote:

*bump*

 

So is it my topic headline that is not catchy enough, or has none of all the thousands here seen anything other than host/computer.fqdn during "computer authentication"?

 

That said - I've read a ton of papers and documentation and I'm unable to reproduce the issue in my lab. 

 

domain\machinname$ is only used when the computer is setup with EAP-PEAP and authentication method = "user or computer authentication". In "Computer authentication" auth mode the correct host/machinname.fqdn is used and authentication works correctly.

Hi John,

Not sure if you're still chasing this problem. We just started doing machine authentication for a small building and are running into this problem now today for some individuals. Something that stuck in my mind shortly towards end of my shift - what build number of Windows 10 were you running into - and did it differ from you lab setup - I saw this on Version 1607 [Build 14393] (My recently updated work and test laptop) and Version 1703 [Build 15063] (affected population version ran in to) - and I hope to have the original version I tested this again shortly Version 1511 [Build 10586] - where I didn't have this problem - Enterprise Version Info - https://technet.microsoft.com/en-us/windows/release-info.aspx

Guru Elite

Re: Windows using domain\machinename$ during Computer Authentication

Are you using PEAPv0/EAP-MSCHAPv2 or EAP-TLS?

Is the device configured for user, computer or computer + user?

Are you using the native Windows supplicant?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Windows using domain\machinename$ during Computer Authentication

Hi Tim,

Are you using PEAPv0/EAP-MSCHAPv2 or EAP-TLS? PEAPv0/EAP-MSCHAPv2

Is the device configured for user, computer or computer + user? computer + user

Are you using the native Windows supplicant? Yes

Frequent Contributor I

Re: Windows using domain\machinename$ during Computer Authentication


cbjohns wrote:

Hi Tim,

Are you using PEAPv0/EAP-MSCHAPv2 or EAP-TLS? PEAPv0/EAP-MSCHAPv2

Is the device configured for user, computer or computer + user? computer + user

Are you using the native Windows supplicant? Yes


Almost forgot one more important detail. The machine passes authentication with "host/FQDN" - and then almost immediately fails with "domain\machinename$" - so this could be a separate issue from OPs.

Frequent Contributor I

Re: Windows using domain\machinename$ during Computer Authentication

Made some progress (ruled out Windows 10 versions) and happened to find a recent Aruba KB about this behavior - https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Machine-authentication-fails-when-ssid-profile-pushed-via-GPO/ta-p/290978 - not sure what causes it though and why for some clients. Still trying to do more analysis.

Frequent Contributor I

Re: Windows using domain\machinename$ during Computer Authentication

Made some further progress. I was wondering if anyone could try replicating the issue I experienced in Windows 10 Version 1703 with an SSID (802.1x - PEAP-MSCHAPv2) deployed via GPO. In previous versions of Windows 10 - the OS will NOT and SHOULD not allow the creation of duplicate SSID Profiles. Feel free to PM if willing to test - I almost disregarded one person as not having the issue - till I realized a sneaky behavior that masked the issue.

 

In Version 1703 - the OS is allowing two profiles of the same name to be configured (The Original GPO "Added by Company Policy") and then a user-defined one (either through "Add a new network" - or possibly a by-product of an in-place upgrade) - testing this tomorrow. I suspect if one GPO is (User or Computer Authentication) and the other is (Computer Authentication Only or vice-versa) it's causing the client to machine authenticate as "host/FQDN" followed by immediate failure attempt of "Domain\MachineName$" - based on the various authentication methods if I'm been testing.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: