Hello,
I’d appreciate some help trying to connect a Windows client to an EAP-TLS secured Mkrotik wifi.
Regarding EAP-TLS, windows offers two modes:
- user authentication mode
- computer authentication mode
Whereas in “user auth mode”, Windows connects seamlessly, this mode unfortunately has some significant drawbacks. Therefore I need to use “computer auth mode” for this setup, but have following troubles there:
When using Windows in “USER authentication mode”, Windows takes “my-username” from client certificate, sends this “my-username” as EAP identity string to radius server ( Mikrotik User Manager , ROS 7.10), and radius server replies acces-accept. All fine.
Though, when using Windows in “COMPUTER authentication mode”, Windows adds the prefix “host/” to EAP identity string, now sending “host/my-username” to radius server. User Manager replies access-reject.
During all my tests User Manager always enforced EAP identity string to be identical with username in certificate, which by the way doesn’t seem to be RFC compliant behavior. But obviously, windows’ “host/” prefixed string cannot be identical with username in cert, so User Manager rejects login.
High end devices like Cisco could handle this prefix issue easily, but with Mikrotik I’m stuck.
Anyone knows how to solve this “host/” prefix headache in a way that satisfies User Manager? Or any other solution how to connect Windows in “computer auth mode” to an EAP-TLS secured Mikrotik wifi network?
I’d be grateful for any kind of advice.