Meraki

Community

Remove "host/" prefix added to 802.1x user

Solved
enigma27
Conversationalist
‎Apr 16 2024 6:45 AM
‎Apr 16 2024 6:45 AM

Remove "host/" prefix added to 802.1x user

I have a deployment where machine certificates are deployed and used for 802.1x authentication to an SSID. This machine certificate is created using the device's asset tag. For example asset001.mydomain.co.uk.

Authentication to the SSID works fine. But when looking at clients authenticated, I notice that the Meraki dashboard has a prefix of "host/" in front of the 'User' field. So instead of the Meraki dashboard showing the 'user' field as 'asset001.mydomain.co.uk' (which is the CN of the machine certificate), it shows it as 'host/asset001.mydomain.co.uk'.

Is there a way to remove or disable the addition of this "host/" prefix?

Labels:
0 Kudos
1 Accepted Solution
In response to enigma27
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 9:44 AM
‎Apr 16 2024 9:44 AM

Take a look at this discussion.

 

Solved: WIndows 10 adding "host/" to the username during eap-tls and or peap - Cisco Community

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 6:55 AM
‎Apr 16 2024 6:55 AM

This prefix is typically added by the server during the authentication process, not by the Meraki dashboard itself.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 6:56 AM
‎Apr 16 2024 6:56 AM

What Radius server are you using?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
enigma27
Conversationalist
‎Apr 16 2024 7:59 AM
‎Apr 16 2024 7:59 AM

Cisco ISE.

0 Kudos
In response to enigma27
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 8:22 AM
‎Apr 16 2024 8:22 AM

As far as I remember, this is the standard when you use certificate authentication.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
enigma27
Conversationalist
‎Apr 16 2024 8:57 AM
‎Apr 16 2024 8:57 AM

It doesn't seem to be a standard thing with certificate authentication from what I can see. After reviewing further, it appears it only adds this prefix to Windows endpoints. Macs appear with just the hostname as expected. Both Windows and Macs are on the same domain with certs deployed from the same CAs.

The reason this is causing me an issue is that the Syslog messages generated by the APs are sent to another appliance that identifies the asset based on the 'User' field. This appliances doesn't seem to be able to recognise any text after the "host/" so it is simply recognising multiple assets as the same 'User' called 'host'.

0 Kudos
In response to enigma27
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 9:44 AM
‎Apr 16 2024 9:44 AM

Take a look at this discussion.

 

Solved: WIndows 10 adding "host/" to the username during eap-tls and or peap - Cisco Community

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 9:47 AM
‎Apr 16 2024 9:47 AM

If you want to strip the "host/" prefix before sending the request to AD, then you can perform this manipulation in the ISE External identities menu option:

alemabrahao_0-1713286001845.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
enigma27
Conversationalist
‎Apr 17 2024 2:45 AM
‎Apr 17 2024 2:45 AM

Thanks. This should be what I need.

0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 8:58 AM
‎Apr 16 2024 8:58 AM

The dashboard is displaying "host/" in the field "description" because it is seen in the RADIUS packets. 

RaphaelL_0-1713283055619.png

 

I couldn't capture the EAP packets yet. So I'm not sure if the Windows client is actually sending this or the Meraki MS/MR are adding this. Will keep you posted.

In response to RaphaelL
RaphaelL
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 9:57 AM
‎Apr 16 2024 9:57 AM

This is a field sent by the Windows workstation. Meraki has nothing to do with it. 

 

RaphaelL_0-1713286591940.png

alemabrahao has suggested some nice tips.

Cyrus777
Here to help
2 weeks ago
2 weeks ago

I have the same issue with Meraki/ISE setup. when a windows client tries connect to wifi after reboot automatically the hostname gets "host/xxxx" attached to it but when you connect manually that doesn't happen.

I made the above adjustment in advanced setting for ISE but that did not resolve the issue for me and I still see a lot of authentication failure when windows machines are trying to connect automatically when they come up on the network. User must click on SSID to connect and when they do that the host/ is not there anymore

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.