Occasional Contributor II

Mac eap-tls machines authenticating as 8021x-User

I'm trying to fit Mac's to our wireless network (once again). I have joined my Macbook (OSX 10.11) to AD with Centrify Direct Control. I have succesfully distributed machine certificates to Macs and created a GPO to enforce machine authentication (with Centrify). This was pretty straight forward.


Problem is that my Macbook authenticates to the network as 8021x-User even with machine certificate. I'm not sure weather this is a problem in Centrify DC or Aruba. Is there a way to tell the controller that this is actually a machine not a user. RADIUS Attribute maybe? How does the controller even know what authentication comes from a machine and what from user?


8021x-Machine authentication works with windows machines.


Anyone else havin same problems?


I'm running AOS Radius server is Windows server 2008 R2 NPS.


Thanks in advance for any help.



Guru Elite

Re: Mac eap-tls machines authenticating as 8021x-User

Windows machines use the username host/<username> to authenticate as a machine.  The controller only marks devices whose usernames begin with host/ as a machine.


All devices that passed machine authentication are in the local user database of the controller.  You can add an entry in the user database for the mac address of the mac as a workaround.  Make sure it is in the same format.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

Re: Mac eap-tls machines authenticating as 8021x-User

ClearPass would allow you to write more advanced network access policies
than NPS.

If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | |

Occasional Contributor II

Re: Mac eap-tls machines authenticating as 8021x-User

Thanks for the fast reply.

This could works as a workaround but does not solve my problem. How can i add this client to internal database?


Where is this /host username comming from? Does the controller read it from the client certificate?



Occasional Contributor II

Re: Mac eap-tls machines authenticating as 8021x-User

Actually i got this working... kind of. I used Service principal name for the alt name generation. In AD i made sure only host/hostname -record is in the service principal attribute by deleting the rest. I dont know if this will cause other problems. However now i have a different problem. This one is a Centrify one. Its been discussed on Centrify community here:


This has been bugging me for a long time. Now i'm almost there.

Search Airheads
Showing results for 
Search instead for 
Did you mean: