Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

This thread has been viewed 21 times
  • 1.  Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

    Posted Sep 13, 2017 04:35 AM

    So, I'm trying to configure both wired and wireless 802.1x machine authentication using CPPM against an AD backend.

     

    For wired 802.1x, the built in Windows Supplicant supplies the username in the format of host/FQDN (for example, in our lab environment host/ITG-NB1ITG-0715.gba.geolba.ac.at). Which is expected and works.

     

    However, for wireless 802.1x, the supplicant provides a username of NETBIOS-Short-Name\Hostname$ (lab: GBA\ITG-NB1ITG-0715$). Which is not expected and doesn't work either.

     

    So the question is, why does the 802.1x supplicant behave differently when swithing from wired to wireless? Shouldn't the username for machine authentication always have the format of host/FQDN? Also, please see the attached screenshots for further details.



  • 2.  RE: Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

    Posted Sep 13, 2017 04:40 AM

    Both wired and wireless supplicants are configured identically, to do both machine (when pressing ctrl+alt+del) and user auth. User auth works for both wireless and wired 802.1x, only machine auth doesn't work for wireless.



  • 3.  RE: Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

    EMPLOYEE
    Posted Sep 13, 2017 07:18 AM

    Which Windows 10 build? Is this consistent across different devices?



  • 4.  RE: Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

    Posted Sep 13, 2017 07:48 PM
    Is the machine auto-connecting to the wireless SSID or are you manually bringing up the Wi-Fi dialog screen (on the login screen) and clicking Connect? I'm running into a similar situation as well and the behavior I've seen is when the supplicant is set to "User or Computer": If the machine auto-connects it will authenticate as the svcPrincipalName (host/fqdn) but if a user interacts with the GUI by pulling up the Wi-Fi dialog box on login screen - it authenticates as the samAccountName (domain/computer$).


    #AirheadsMobile


  • 5.  RE: Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

    Posted Sep 14, 2017 04:31 AM

    @cbjohns this is exactly the problem I'm seeing



  • 6.  RE: Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth



  • 7.  RE: Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

    Posted Sep 14, 2017 07:01 AM

    OK the link I posted above does solve my problem.

     

    Can somebody explain to me why this is necessary at all?



  • 8.  RE: Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

    Posted Feb 20, 2024 03:32 AM

    Hello,

    I am facing similar issue, and tried opening the link pasted above but unable to open the same.

    Can you please help me with the solution given in the link.

    Your prompt response would be highly appreciated.

    Thank you.




  • 9.  RE: Windows 10 802.1X Supplicant Supplies Different Usernames for Wired and Wireless Machine Auth

    EMPLOYEE
    Posted Feb 20, 2024 03:36 AM

    This seems to be the new location in February 2024 for this article: Machine authentication fails when ssid profile pushed via GPO



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------