We have users that needs to connect with rdp but they are getting disconnectedExample:Users have desktops in their companyLet say user X which is on his home connect to his desktop(this desktop authenticate with 802.1x) he connect to his desktop with a VPN. When they connect with RDP to that desktop get disconnected of the network and i see this error:[4:26 p. m.] Jose Vindas AlfaroST1-CMDR: port 2/1 is Blocked by AAASame issue happens if someone in the internal network tries to remote desktop to that desktop, we get that error
Im wondering if this happen because of the credential guard and because they are using EAP PEAP(i iknow they need to move to EAP TLS but its something we have to work with the client after we fix this)
I notice that one computer is working fine but in that computer it has this enable
In most of the computers it has it disable like you see in the screenshot and in thos computers it seems it doesnt work
This only happens when they try to remote desktop
I dont know if when it try to autenticate and noone is on the computer it prompts the user and pass but as noone is there to do that it kick the device from the network because noone is putting the user and pass
You guys think its that?
Do you think there is a logic in what is happening and with the credential guard?
The customer should migrate to certificate based EAP methods instead.
Hello thnks for your reply
Like i said on my previews post i already informed the client that we must move to EAP TLS, for now they are asking us to fix it because its urgent
As for the solution microsoft is proposing, is this?:
This is already configured, and they still have the issue
If its somewhere else where is it?
If they are using PEAP for 802.1X, the only option is to only enable Computer Authentication. If they have User enabled then the RDP session WILL BREAK THE 802.1X connection.
Let me check on this but i saw that someone that had
This enabled did not that happen the issue
Just to make sure Carson, it will break the 802.1x connection even with that option on??
The only options are having the computer authenticaiton or go to EAP TLS
If you go read the Microsoft document that was posted above, if User Auth is attempted then the network connection will fail. Disabling SSO might allow for the connection to eventually come back, but you'll likely just break it again upon connection with RDP.
EAP-TLS or EAP-TEAP is the answer. But regardless of what gets chosen, get rid of any authentication that requires MSCHAPv2.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.