Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Remove "host/" prefix added to 802.1x user

Solved
enigma27
Conversationalist
2 weeks ago
2 weeks ago

Remove "host/" prefix added to 802.1x user

I have a deployment where machine certificates are deployed and used for 802.1x authentication to an SSID. This machine certificate is created using the device's asset tag. For example asset001.mydomain.co.uk.

Authentication to the SSID works fine. But when looking at clients authenticated, I notice that the Meraki dashboard has a prefix of "host/" in front of the 'User' field. So instead of the Meraki dashboard showing the 'user' field as 'asset001.mydomain.co.uk' (which is the CN of the machine certificate), it shows it as 'host/asset001.mydomain.co.uk'.

Is there a way to remove or disable the addition of this "host/" prefix?

Labels:
0 Kudos
Subscribe
1 Accepted Solution
In response to enigma27
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Take a look at this discussion.

 

Solved: WIndows 10 adding "host/" to the username during eap-tls and or peap - Cisco Community

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

Subscribe
10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

This prefix is typically added by the server during the authentication process, not by the Meraki dashboard itself.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

What Radius server are you using?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
enigma27
Conversationalist
2 weeks ago
2 weeks ago

Cisco ISE.

0 Kudos
Subscribe
In response to enigma27
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

As far as I remember, this is the standard when you use certificate authentication.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
enigma27
Conversationalist
2 weeks ago
2 weeks ago

It doesn't seem to be a standard thing with certificate authentication from what I can see. After reviewing further, it appears it only adds this prefix to Windows endpoints. Macs appear with just the hostname as expected. Both Windows and Macs are on the same domain with certs deployed from the same CAs.

The reason this is causing me an issue is that the Syslog messages generated by the APs are sent to another appliance that identifies the asset based on the 'User' field. This appliances doesn't seem to be able to recognise any text after the "host/" so it is simply recognising multiple assets as the same 'User' called 'host'.

0 Kudos
Subscribe
In response to enigma27
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Take a look at this discussion.

 

Solved: WIndows 10 adding "host/" to the username during eap-tls and or peap - Cisco Community

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

If you want to strip the "host/" prefix before sending the request to AD, then you can perform this manipulation in the ISE External identities menu option:

alemabrahao_0-1713286001845.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
enigma27
Conversationalist
2 weeks ago
2 weeks ago

Thanks. This should be what I need.

0 Kudos
Subscribe
RaphaelL
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

The dashboard is displaying "host/" in the field "description" because it is seen in the RADIUS packets. 

RaphaelL_0-1713283055619.png

 

I couldn't capture the EAP packets yet. So I'm not sure if the Windows client is actually sending this or the Meraki MS/MR are adding this. Will keep you posted.

Subscribe
In response to RaphaelL
RaphaelL
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

This is a field sent by the Windows workstation. Meraki has nothing to do with it. 

 

RaphaelL_0-1713286591940.png

alemabrahao has suggested some nice tips.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.