RADIUS - Can authenticate by user, but not by computer

ElectroDan
Getting noticed

RADIUS - Can authenticate by user, but not by computer

Last year, after much troubleshooting, I managed to get RADIUS authentication working for my AD users (although the first time they connect they have to enter their AD username and password as ticking the 'Use my Windows credentials' checkbox does not work).

 

Anyway, I'd like switch to computer account authentication, so users aren't prompted to re-authenticate against the WiFi when their AD password changes. However, when I switch to this, users (all on Windows 10) are unable to connect.

 

This is what is shown in the NPS logs:

 

Network Policy Server denied access to a user.

 

Contact the Network Policy Server administrator for more information.

 

User:

Security ID: OURDOMAIN\Daniel
Account Name: Daniel
Account Domain: OURDOMAIN
Fully Qualified Account Name: OURDOMAIN\Daniel

 

Client Machine:

Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 9A-15-54-AB-56-2D:ES_Radius_Test
Calling Station Identifier: B8-08-CF-3E-20-26

 

It looks as if the machine name isn't being passed to the RADIUS server (Windows Server 2016). Is this a bug?

 

To confirm, this is the Network Policy config that works and allows users to connect with the AD credentials:

 

This config works.This config works.

 

But if I change from User Groups to Machine Groups, users can't connect:

 

This config doesn't work.This config doesn't work.

4 Replies 4
redsector
Head in the Cloud

We needed to install a certificate on the clients for "PEAP". It´s installed at the windows network configuration. We are working with an Cisco ISE as radius-server.

ElectroDan
Getting noticed

Thanks, did you reference a guide you can post the link to?

redsector
Head in the Cloud

the manual is in german, sorry.

 

How to set up the Windows (Win 7) network connection for Radius PEAP connection with certificate.

Unknown-2.jpeg

PhilipDAth
Kind of a big deal
Kind of a big deal

You should be using group policy.

 

The group policy needs to configure the SSID to use machine authentication (otherwise it will use user authentication).  The group policy can also be used to distribute the certificate.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels