Security

We have users that needs to connect with rdp but they are getting disconnected
Example:
Users have desktops in their company
Let say user X which is on his home connect to his desktop(this desktop authenticate with 802.1x) he connect to his desktop with a VPN. When they connect with RDP to that desktop get disconnected of the network and i see this error:
[4:26 p. m.] Jose Vindas Alfaro

ST1-CMDR: port 2/1 is Blocked by AAA

Same issue happens if someone in the internal network tries to remote desktop to that desktop, we get that error

Im wondering if this happen because of the credential guard and because they are using EAP PEAP(i iknow  they need to move to EAP TLS but its something we have to work with the client after we fix this)

I notice that one computer is working fine but in that computer it has this enable

In most of the computers it has it disable like you see in the screenshot and in thos computers it seems it doesnt work

This only happens when they try to remote desktop

I dont know if when it try to autenticate and noone is on the computer it prompts the user and pass but as noone is there to do that it kick the device from the network because noone is putting the user and pass

You guys think its that?

Do you think there is a logic in what is happening and with the credential guard?

The customer should migrate to certificate based EAP methods instead. 

https://learn.microsoft.com/en-us/troubleshoot/windows-client/remote/cannot-use-802dot1x-user-authentication-connect-rds

We have users that needs to connect with rdp but they are getting disconnected
Example:
Users have desktops in their company
Let say user X which is on his home connect to his desktop(this desktop authenticate with 802.1x) he connect to his desktop with a VPN. When they connect with RDP to that desktop get disconnected of the network and i see this error:
[4:26 p. m.] Jose Vindas Alfaro

ST1-CMDR: port 2/1 is Blocked by AAA

Same issue happens if someone in the internal network tries to remote desktop to that desktop, we get that error

Im wondering if this happen because of the credential guard and because they are using EAP PEAP(i iknow  they need to move to EAP TLS but its something we have to work with the client after we fix this)

I notice that one computer is working fine but in that computer it has this enable

In most of the computers it has it disable like you see in the screenshot and in thos computers it seems it doesnt work

This only happens when they try to remote desktop

I dont know if when it try to autenticate and noone is on the computer it prompts the user and pass but as noone is there to do that it kick the device from the network because noone is putting the user and pass

You guys think its that?

Do you think there is a logic in what is happening and with the credential guard?

Hello thnks for your reply

 Like i said on my previews post i already informed the client that we must move to EAP TLS, for now they are asking us to fix it because its urgent

As for the solution microsoft is proposing, is this?:

This is already configured, and they still have the issue

If its somewhere else where is it?

Thanks

The customer should migrate to certificate based EAP methods instead. 

https://learn.microsoft.com/en-us/troubleshoot/windows-client/remote/cannot-use-802dot1x-user-authentication-connect-rds

We have users that needs to connect with rdp but they are getting disconnected
Example:
Users have desktops in their company
Let say user X which is on his home connect to his desktop(this desktop authenticate with 802.1x) he connect to his desktop with a VPN. When they connect with RDP to that desktop get disconnected of the network and i see this error:
[4:26 p. m.] Jose Vindas Alfaro

ST1-CMDR: port 2/1 is Blocked by AAA

Same issue happens if someone in the internal network tries to remote desktop to that desktop, we get that error

Im wondering if this happen because of the credential guard and because they are using EAP PEAP(i iknow  they need to move to EAP TLS but its something we have to work with the client after we fix this)

I notice that one computer is working fine but in that computer it has this enable

In most of the computers it has it disable like you see in the screenshot and in thos computers it seems it doesnt work

This only happens when they try to remote desktop

I dont know if when it try to autenticate and noone is on the computer it prompts the user and pass but as noone is there to do that it kick the device from the network because noone is putting the user and pass

You guys think its that?

Do you think there is a logic in what is happening and with the credential guard?

If they are using PEAP for 802.1X, the only option is to only enable Computer Authentication.  If they have User enabled then the RDP session WILL BREAK THE 802.1X connection.

Hello thnks for your reply

 Like i said on my previews post i already informed the client that we must move to EAP TLS, for now they are asking us to fix it because its urgent

As for the solution microsoft is proposing, is this?:

This is already configured, and they still have the issue

If its somewhere else where is it?

Thanks

The customer should migrate to certificate based EAP methods instead. 

https://learn.microsoft.com/en-us/troubleshoot/windows-client/remote/cannot-use-802dot1x-user-authentication-connect-rds

We have users that needs to connect with rdp but they are getting disconnected
Example:
Users have desktops in their company
Let say user X which is on his home connect to his desktop(this desktop authenticate with 802.1x) he connect to his desktop with a VPN. When they connect with RDP to that desktop get disconnected of the network and i see this error:
[4:26 p. m.] Jose Vindas Alfaro

ST1-CMDR: port 2/1 is Blocked by AAA

Same issue happens if someone in the internal network tries to remote desktop to that desktop, we get that error

Im wondering if this happen because of the credential guard and because they are using EAP PEAP(i iknow  they need to move to EAP TLS but its something we have to work with the client after we fix this)

I notice that one computer is working fine but in that computer it has this enable

In most of the computers it has it disable like you see in the screenshot and in thos computers it seems it doesnt work

This only happens when they try to remote desktop

I dont know if when it try to autenticate and noone is on the computer it prompts the user and pass but as noone is there to do that it kick the device from the network because noone is putting the user and pass

You guys think its that?

Do you think there is a logic in what is happening and with the credential guard?

Hello Chulcher

Let me check on this but i saw that someone that had 

This enabled did not that happen the issue

Just to make sure Carson, it will break the 802.1x connection even with that option on??  

The only options are having the computer authenticaiton or go to EAP TLS

If they are using PEAP for 802.1X, the only option is to only enable Computer Authentication.  If they have User enabled then the RDP session WILL BREAK THE 802.1X connection.

Hello thnks for your reply

 Like i said on my previews post i already informed the client that we must move to EAP TLS, for now they are asking us to fix it because its urgent

As for the solution microsoft is proposing, is this?:

This is already configured, and they still have the issue

If its somewhere else where is it?

Thanks

The customer should migrate to certificate based EAP methods instead. 

https://learn.microsoft.com/en-us/troubleshoot/windows-client/remote/cannot-use-802dot1x-user-authentication-connect-rds

We have users that needs to connect with rdp but they are getting disconnected
Example:
Users have desktops in their company
Let say user X which is on his home connect to his desktop(this desktop authenticate with 802.1x) he connect to his desktop with a VPN. When they connect with RDP to that desktop get disconnected of the network and i see this error:
[4:26 p. m.] Jose Vindas Alfaro

ST1-CMDR: port 2/1 is Blocked by AAA

Same issue happens if someone in the internal network tries to remote desktop to that desktop, we get that error

Im wondering if this happen because of the credential guard and because they are using EAP PEAP(i iknow  they need to move to EAP TLS but its something we have to work with the client after we fix this)

I notice that one computer is working fine but in that computer it has this enable

In most of the computers it has it disable like you see in the screenshot and in thos computers it seems it doesnt work

This only happens when they try to remote desktop

I dont know if when it try to autenticate and noone is on the computer it prompts the user and pass but as noone is there to do that it kick the device from the network because noone is putting the user and pass

You guys think its that?

Do you think there is a logic in what is happening and with the credential guard?