We have an Enterprise Certificate Infrastructure in place with an Offline RootCA server and a SubCA server that issues the certs. We created a Certificate Template for WiFi authentication and requested a certificate for both an XP laptop and a Windows 7 laptop, both members of the same AD domain.
In IAS, we created a Connection Request Policy and a Remote Access Policy for this access. The Windows XP box can connect perfectly fine with its computer certificate but the Windows 7 box fails. IAS logs
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
What we are seeing is the Windows XP box presents itself with user identity of
Machine$@domain.com while the Windows 7 box presents itself with a user identify of Machine.domain.com (note the dollar sign and @ sign are not there). Because of this, IAS isn't finding the machine account in AD
We ended up working around it by modifying the User-Name attribute to replace .domain.com with$@domain.com but I feel this is a bit of hack. (Note, the rule is regex, so you need to escape the periods and dollar sign)
Considering both these machines are clean installs and received a cert from the same SubCA server using the same method and selecting the same Template, I find this behavior odd.
Any ideas why they behave so differently?
Denny