Wireless Access

I have an issue with a customer this morning where the username is being populated as "host/694TEA-CXDWD12.domain.com".  The info after the slash seems to be the computer name but I haven't confirmed. This has happened intermittently in the past. This morning there were a lot of entries though. 

It shows up under all the networks available that perform dot1x authentication. psk's are not affected.

Anyone seen anything like this?

Yes, this is normal behavior in a Windows AD-joined environment. The device is machine authenticating meaning it is using the computer's account instead of the user's account to authenticate.

This happens at the login screen. If you do not want this to happen, you would need to configure the clients to use User only authentication, but beware that this will break new user domain login to the computer.

How can I stop it from happening?

The customer has firewall rules in place based on username and when the machine logs in, certain resources are unavailable.

nevermind, i just saw you already said how to solve. lol

You would need to configure the wireless profile via Group Policy to only User authenticate.

The best practice is to ensure that both user and computer authentication is enabled so that once the user logs in, the authentication switches to the User's credentials. It sounds like just Computer authentication is enabled.

From what I can see both are enabled. the host/ logins aren't the only ones I see in the client list. There just seems to be more of them than normal. 

Would something be stopping it from switching to the user's credentials?

also, is there a way for me to clear these clients so they reauthenticate as the user?

aaa user delete mac <mac-address>

This will force the client to reauthenticate.

If the client isn't fully configured, the device can sometimes switch between computer only and user only. The best way to start troubleshooting this is to push down a group policy that hard sets all of the settings.