We are trying to implement 802.1x to authenticate wirelless users (Aruba Controller) through RADIUS (Windows server 2019 NPS),
For mobile phones and guests devices, we have successfully configured the authentication via user (AD Account) , but for the LAN devices (Windows 10 Domaine joined computers) we are trying the set machine authentication but unfortunatly it seems to be impossible , I have noticed that in NPS event log, the computer name is passed as a user account and not a computer account:
The Network Policy Server denied access to a user.
Contact the NPS server administrator for more information.
1- User:
- Security ID: **NULL SID**
- Account name: **host/machinename.domain.com**
- Account domain: **domain.com**
- Full account name: **domain.com\machinename$**
2- Computer:
- Security ID: ****NULL SID****
- Account Name : **-**
- Full account name: **-**
- Identifier of the called station: **10:LAN-SSID**
- Calling station identifier: **FF0000000000**
down here is our configuration of the NPS Network policy and the wireless profile on a windows 10 domain joined computer :
1- NPS Network policy-Conditions:
- Computers groups : Domain\Domain Computers
- NAS port type : wireless-other or wirelless-IEEE 802.11
2- NPS Network policy : Contraints
- EAP protocols types : Microsoft: PEAP (Protected EAP)
- EAP Types: Secured password (EAP-MSCHAP version 2)
3- NPS Network policy : Settings
- Framed-Protocol : PPP - Service-Type : Framed - Tunnel-Type : Virtual LANs (VLAN) Tunnel-Medium-Type 802 (Includes all 802 media plus Ethernet canonical ... - Tunnel-Pvt-Group-ID: Our VLAN ID - Termination-Action : RADIUS-Request
Windows 10 WLAN Card configuration :
1- Windows 10 wireless profile : EAP-PEAP
6- Windows 10 wireless profile: EAP-MSCHAPv2
7- Windows 10 wireless profile: do not use username and domain
8- Windows 10 wireless profile: Authentication mode : computer
Sorry for the long post.
Best regards
