Thread Info
  • State Not Answered
  • Replies 1 reply
  • Subscribers 5 subscribers
  • Views 3775 views
  • Users 0 members are here
Options
Suggested

EAP-TLS + NPS Passing MAC addresses as Username

zzzp8

Hi there

I've been using 802.1x for SSTP VPN and EAP-TLS WiFi no issues. Using NPS server to do the auth and certs being issued by an AD PKI CA server..

I'm trying to setup a Sophos Switch CS110-48p with EAP-TLS,. I setup my users computer to use either EAP-TLS  (using either Device or User cert, with a corresponding NPS policy to match) , however when trying to auth against the switch, the NPS shows the logs:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: NULL SID

Account Name: 000c29fcbf0f

Account Domain: XXXXX

Fully Qualified Account Name: XXXXX\000c29fcbf0f

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

Called Station Identifier: c8-4f-86-61-48-5a

Calling Station Identifier: 00-0c-29-30-42-4b

NAS:

NAS IPv4 Address: 10.20.0.11

NAS IPv6 Address: -

NAS Identifier: fsNas1

NAS Port-Type: Ethernet

NAS Port: 3

RADIUS Client:

Client Friendly Name: Sophos Switch A

Client IP Address: 10.20.0.11

Authentication Details:

Connection Request Policy Name: XXXXX LAN

Network Policy Name: -

Authentication Provider: Windows

Authentication Server: B-NPS01-A.int.XXXXX.co.uk

Authentication Type: EAP

EAP Type: -

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 8

Reason: The specified user account does not exist.

Turns out the 000c29fcbf0f is the MAC address of the computer i'm testing from (noting i've tested from VM's and latops/desktops)..

I have no idea how the MAC address is being presented to the server itself .. It can't be a config on the Windows computers as i've done tonnes of EAP-TLS stuff before and am familiar with the required configs on the computers ethernet NIC.

So kind of leaves me with wondering, could the Sophos switch be passing MAC addresses through as apart of the EAPPOL process?

Has anyone got 802.1x with EAP-TLS working sucessfully on these switches? Any idea how to troubleshoot what's going on here? 

Thanks



Added TAGs
[edited by: Erick Jan at 3:47 AM (GMT -8) on 11 Jan 2024]
  • 0

    Ok turns out switch was set to use MAB. Have disabled that!. 

    Now when trying to use User cert to connect to ethernet, i'm seeing the true username being presented to NPS however looks like the EAPOL flow isn't being completed. Basically auth fails with no logs on the NPS server, however some of the EAPOL process is being started but not completed.

    Pic below is of a wireshark trace :

    https://ibb.co/jhtD5zR

    Wondering any thoughts on that?

Unfiltered HTML