802.1x and windows 10 domain authentication

802.1active-directorynpspxe-bootwindows 10

Our site has had this problem for over a year now…(off and on).

After PXE imaging a computer via network MAB authentication, the image finishes fine, but once it gets on the domain via the computer account created during the imaging, it stops authenticating to the domain.

Here's how we image computers:

(1.) A computer gets brought to the Service Desk for image (or re-image), and they create a MAB in Active Directory using the computer's MAC address.

(2.) The MAB account is added to a Baseline VLAN security group in AD, so that when the computer attempts to boot to PXE, it authenticates via the correct MAB, gets an IP through DHCP, etc.

(3.) Once the PXE & SCCM image processes are complete, it adds the comp to the domain via a service account solely created for adding computers to the domain. The credentials are built into the image process (somehow).

Then, soon after it finishes the imaging process and is added to the domain, something triggers NPS to not authenticate the computer account, and we believe it has something to do with 802.1x…possibly.

Here's a snippet of the NPS Server log where the comp account authentication fails…

User:

   Security ID:              NULL SID
   Account Name:             host/[hostname given during image].domain.com

Client Machine:

   Security ID:              NULL SID

NAS

   [blah blah, switch info]

RADIUS Client:

   [more switch & VLAN info...which is correct]

Authentication Details:

   Connection Request Policy Name: Wired Connection
   ...[leaving a lot of things blank to avoid verbosity]...
   Reason Code: 7
   Reason: The specified domain does not exist.

Here are my questions:

-How can we narrow down whether or not it's 802.1x related? The policies are set within NPS and the port to authenticate via 802.1x first, and then try a MAB if that fails.

-Is that reason code indicating a failure of the NPS server in finding an account associated with that hostname? Is it an indication that the computer is not passing the correct credentials to NPS?

Best Answer

Some success:

We found that the failover mechanism for authentication to 802.1x/MAB on the Cisco switch was not properly set on one of the ports we were testing on. That would make sense why the NPS logs repeatedly showed the MAB authenticating properly, but the 802.1x never succeeding.

Sure enough, we went into the switch, changed it, and set the authentication order in the switch to "dot1x MAB"...and it's been working perfectly ever since. We're continuing to test other computers to confirm this is the solution, but it looks like we're good.

Thanks!

Related Topic