Hi,
I'm needing some guidance on the altSecurityIdentifier when it comes to mapping certificates for machine authentication. The new 'stronger' methods do not work. The only one I can get to work is the 'weak' X509IssuerSubject mapping, which has always been for my devices that support EAP-TLS. I'll go over what I have currently setup and what I've tried.
Current setup:
I have an AD domain controller, ADCS, and NPS to authorize my clients. An object in AD gets created (a machine object). A certificate from ADCS get's issued and installed on the client. I take the X509 and manually map it to that computer object and check the boxes for issuer and subjectName. I then setup my authentication (which this is for a wireless network WPA2 Enterprise). I'll setup the SSID name --> Choose WPA2 Enterprise --> Change Authentication from Automatic to EAP-TLS --> Select the certificate --> enter a username (which is the machine name with a $ (i.e. MYSYSTEM$)). The system then hits NPS and authenticates the device and is now on the network.
With the new security enhancements:
NPS logs a failure in the logs stating that there is a credential mismatch. In order to be compliant with the new security mappings, I have altered and followed KB5014754 and HowTo: Map a user to a certificate via all the methods available in the altSecurityIdentities attrib...
I put this in the correct formats (and I've tried each of the strong formats). They do not work. They will not authenticate the client. NPS reports its the same credential mismatch.
So my question is, with the current setup and utilizing EAP-TLS with my clients (which by the way some are domain joined MACs and some are not domain joined MACs), is there any way to get this to work with the machine authentication method I'm using?
I do get I could do the mapping to a user object instead of a computer object. I just hate to have that many user accounts active for devices.
JB
