Surface Hub 802.1x authentication on wired networks

[Levisallanon]

I've got a network here which uses certificates on both wireless and wired for computer or user authentication. For the Surface Hub I generated a computer certificate and installed it (with the right chain) on the surface hub using a provisioning package.
The Surface Hub is running verion 10.0 (build 15063) of windows 10 Team (it had the update for 1703) so it should allow for 802.1x authentication on wired networks and this should be enabled by default. But I've got some problems.

- I can connect to the wireless network, but it doesn't connect to the wired network. We checked the connection itself and that's not the problem. We checked with the authentication server and it returns an error which says it's using the wrong authentication protocol on the wired connection.

The device was delivered without the 1703 update so we tought maybe the setting wasn't enabled yet so we did a reset of the device but this also removed the 1703 update and we can't seem to find how to revert it to default settings without removing the update.

The envirioment here is a hybrid SCCM\Intune envirioment but doesn't support modern devices yet and we only have 2 surface hubs so we prefer not to have to intaller 3 or 4 new roles in the SCCM system just for these 2 devices, but this doesn't let us change the setting for the 802.1x authentication as it seems this can only be changed by MDM and not by provisioning packages.

If someone has some tips or solutions for me I would be gratefull as it's now blocking our tests.

[Windows7ge]

The only certificates I'm even mildly familiar with are the ones required for HTTPS. I didn't know there are certificates that can be used for general network access. @leadeater Any ideas?

[leadeater]

So the issue is with wired authentication correct?

[leadeater]

We use group policy to configure 802.1x wired auth have a look at this and let me know if it helps.

 

 

Also when an interface is enabled for 802.1x you should see this extra tab in properties for it, normally you can just change them at will but since ours are GPO controller it's all grayed out.

 

[leadeater]

Bugger Surface Hub, missed the Hub part. We just have a few of these on trial not long ago and they worked on our wired auth network but I wasn't involved at all with setting them up on the network. We also have fall back network access so if 802.1x fails an IP is still given, we use it more for SSO sign on for firewall access, radius tokens are forwarded to the firewalls to add the info to it's client tables.

[Levisallanon]

1 hour ago, leadeater said:

We use group policy to configure 802.1x wired auth have a look at this and let me know if it helps.

 

 

Also when an interface is enabled for 802.1x you should see this extra tab in properties for it, normally you can just change them at will but since ours are GPO controller it's all grayed out.

 

We use this too for our clients, but Surface Hubs don't support GPO's, you need to configure it with MDM or Provisioning packages. And the provisioning packages don't support these settings (yet).

[leadeater]

13 hours ago, Levisallanon said:

We use this too for our clients, but Surface Hubs don't support GPO's, you need to configure it with MDM or Provisioning packages. And the provisioning packages don't support these settings (yet).

Can't just disable 802.1x on the port for the Hub or auth it some other way, like mac address? Now I'm curious how we got ours to work.

[Levisallanon]

7 hours ago, leadeater said:

Can't just disable 802.1x on the port for the Hub or auth it some other way, like mac address? Now I'm curious how we got ours to work.

Normally that would be the answer, but this one will be mobile and can be put in multiple board rooms. It will sometimes use the wifi, but to guarentee the connection reliability we need to be able to plug it into the lan also when it's avaible in the board room (the moveable standard will have a lan cable on it so people can connect it). So disabling the port won't work.

Also this would be a security risk, as it's a know attack vector. So an attacker could use this port to get access to the network by removing this lan port and using it. Especially since surface hubs are generally in rooms where other people might also come in.

[leadeater]

13 minutes ago, Levisallanon said:

Normally that would be the answer, but this one will be mobile and can be put in multiple board rooms. It will sometimes use the wifi, but to guarentee the connection reliability we need to be able to plug it into the lan also when it's avaible in the board room (the moveable standard will have a lan cable on it so people can connect it). So disabling the port won't work.

Also this would be a security risk, as it's a know attack vector. So an attacker could use this port to get access to the network by removing this lan port and using it. Especially since surface hubs are generally in rooms where other people might also come in.

Hmm, we do our 802.1x using Aubra ClearPass Policy Server so our port authentication is rather flexible. We can do AD auth, cert or mac address etc with multiple different authentication sources and we also send down different switch port configurations depending on what gets authed (like VLAN and ACLs). I doubt putting in something this elaborate is worth looking at just for surface hubs though.

 

Is it possible to have a dedicated Intune setup just for the surface hubs so you can generate MDM profiles with the required settings? Would that even work? Not used Intune at all.

[Levisallanon]

1 minute ago, leadeater said:

Hmm, we do our 802.1x using Aubra ClearPass Policy Server so our port authentication is rather flexible. We can do AD auth, cert or mac address etc with multiple different authentication sources and we also send down different switch port configurations depending on what gets authed (like VLAN and ACLs). I doubt putting in something this elaborate is worth looking at just for surface hubs though.

 

Yeah I'd wish this customer had this flexible setup also. to make it even worse I can configure it because it's managed by another company.

 

2 minutes ago, leadeater said:

Is it possible to have a dedicated Intune setup just for the surface hubs so you can generate MDM profiles with the required settings? Would that even work? Not used Intune at all.

They are using a SCCM/intune hybrid now, but to get it ready 4 more sccm roles need to be installed which is way to much work for it. So if I want to have a stand alone intune I would need to make another azure tennant and set up trust relations between it etc so make it work. that's also way to much work for it. Problem is authentication for the network goes over kerberos so it needs to be AD joined, so to enroll it in another intune envirioment I would need to set up this trust relation else it wont be able to authenticate with kerberos anymore.

I tought about setting up another intune envirioment and then manage it with this and remove it from it again. But from what I can find the only way to remove it from an envirioment is to factory reset it (which will remove the windows update and therefor bring me back at square one).

[leadeater]

7 minutes ago, Levisallanon said:

Yeah I'd wish this customer had this flexible setup also. to make it even worse I can configure it because it's managed by another company.

 

They are using a SCCM/intune hybrid now, but to get it ready 4 more sccm roles need to be installed which is way to much work for it. So if I want to have a stand alone intune I would need to make another azure tennant and set up trust relations between it etc so make it work. that's also way to much work for it. Problem is authentication for the network goes over kerberos so it needs to be AD joined, so to enroll it in another intune envirioment I would need to set up this trust relation else it wont be able to authenticate with kerberos anymore.

I tought about setting up another intune envirioment and then manage it with this and remove it from it again. But from what I can find the only way to remove it from an envirioment is to factory reset it (which will remove the windows update and therefor bring me back at square one).

This is all I can think of right now lol.

 

 

Wish I could think of something more helpful.

[Levisallanon]

On 5/26/2018 at 12:05 PM, leadeater said:

This is all I can think of right now lol.

 

 

Wish I could think of something more helpful.

Kind of feels this way indeed .... seems my only option left is the microsoft support .... jeeej ....