How are the non-domain machines provisioned to use 802.1X? Many places use applications such as Cloudpath XpressConnect or Aruba ClearPass to provision the student or personal clients.
We use Windows Group Policy to push the settings & certificates to Windows domain machines. We use a management system to provision Apple computers too. For Apple, we are currently using User Profiles, but will likely move to Login Window Profiles for our University owned Apple machines. Student and personal computers are configured to use user authentication only. Our Aruba wireless infrastructure is not set to enforce machine authentication, but it allows it if that is what the client tries. If we had a student or personal machine give a machine authentication error. We would have then re=provision it with our tools. I don't know if our experiences will help you, Joe. Bruce Osborne Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Joe Roth [mailto:jr...@binghamton.edu] Sent: Friday, August 03, 2012 4:03 PM Subject: Dot1x/WPA2 and machine authentication We are in the process of rolling out the Cisco Identity Services Engine as well as a WPA2 SSID, and have run into an issue, I did some research online and have not come up with much so I was hoping someone else could shed some light on this... By default Windows will first attempt to do machine authentication, and then if this fails it should move on to user authentication. We have Cisco ISE joined to our domain, and so the domain machines that connect to our WPA2 SSID successfully do machine authentication. However, machines that are not joined to the domain that fail machine authentication (which they should) will at times throw up an authentication failure message in Windows, but not prompt for a username/password to authenticate to the SSID. Sometimes they do, sometimes they don't, it is inconsistent. In Windows 7 if we go into the Advanced settings and specify that it use username/pass only, it works fine. I believe that the default is machine and/or username/pass authentication. Which means anyone with a non domain machine (all of our students!) could experience this issue. We have shut off machine authentication in ISE, and this has kept the issue from recurring, however we would like to leverage machine authentication at some point, but not if it is going to cause issues with the non domain machines. Has anyone else experienced this? Any remedies? Thanks in advance. -- Joe Roth Networking Group Binghamton University Ph. 607-777-7528 Fax 607-777-4009 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.