Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

802.1x and IDM


802.1x and IDM

I have setup a 802.1x environment with IDM 3.0. and IDM agent in a Microsft IAS server. I will only do client authentication (no user) and I have imported my client group from Microsoft AD to IDM, everything seems OK.When I look in IDM I can see that my clients are registred as host/ in my Client Policy Groups. When I make an authentication my IAS server refuse the client because host/ is not a valid AD user since it accountname is only without "host/" infront. Do someone know why the clients are registred in IDM with "host/" infront of the name and how can I get rid of this in order to make the clinet authenticate with the exact hostname.

Stefan Claesson
Caperio Sweden
Franck Guenichot
Occasional Advisor

Re: 802.1x and IDM

It is maybe too late, but here's an explanation: When doing machine authentication with the computer account, the 802.1x supplicant prepend the hostname with "host/"

For example a computer named PC_A in the toto.local AD Domain will authenticate itself like this: host/PC_A.toto.local

If IAS rejects the authentication with a message like Denied access: Account not found... it's surely because your machine account doesn't have correct a valid servicePrincipalName

You can check this with csvde or ldifde

For each of the machine account you want to auth with 802.1x, you must check that this AD attribute is correctly filled.
Values should be like this:
host/PC_A.toto.local,host/PC_A (not sure for the comma)

I've faced the same issue, and I don't know why some computer account have SPN correctly set and some don't...

You can add SPN using the setspn.exe tool.