I am not sure this answers your question directly but I will extend the explanation.
To use Machine authentication required that we enable this feature on our wireless controllers. Radius here is already back-ended by AD. Only AD machines joined to the domain can access that network. Start with that. After that was set up we extended the SSID to accommodate (vlan steering) a second deployment vlan when Machine Auth fails. This deployment network is a non-routed private address space that only accepts AD admin authentication with the ability to join machines to the domain. The process begins with a supplicant configuration tool that does not store admin credentials and ends with a GPO that ensures knowledge of that vlan get wiped. Randy From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ding, Shiling Sent: Wednesday, April 06, 2011 3:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x How does the machine authentication work with the separate SSID? Shiling ******************************************************** Shiling Ding, CCIE sd...@fsu.edu<mailto:sd...@fsu.edu> Network Specialist Information Technology Services Florida State University ******************************************************** From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Randall C Grimshaw Sent: Wednesday, April 06, 2011 2:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x In order to get AD GPO deployment to work, we built a separate SSID that does machine authentication (not the same as MAC authentication) the machine must be joined to an AD domain to gain access to this SSID. But the GPO happens independently and prior to user authentication as you would expect on a wired connection. User authentication is required to gain access to the machine and satisfies both Network and Machine access control. Randy From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan Sent: Wednesday, April 06, 2011 1:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x I've been researching this too because we have Lab computers that are wireless only. The issue is that the machine has to be on the network before the user logs in. Since they have never been on the machine before there are no cached credentials. Seems like we have different problems for the same reason. What I found is that I can solve this two ways. I can have the computer authenticate via a cert before the user authenticates. I can assign certs via GPO so that would be pretty straight forward. I ran it by our Wireless vendor and they have a mac-auth option for the computer so I do not have to build out the certificate infrastructure. If I enable mac-auth on my 802.1x network the computer will authenticate via its mac-address so it will be on the network when the user goes to log on. Then when the user logs on they will have to present their credentials to 802.1x to actually access the network. I have not tried it yet so I do not know how that works. My guess is that with the MAC auth I will set a policy that only allows the computer to get an IP address and talk to AD for Authentication. Once 802.1x auth happens the user gets another policy that lets them do more. John Kaftan Infrastructure Manager Utica College 315.792.3102 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King Sent: Wednesday, April 06, 2011 1:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x There are a couple of ways to proceed. I've seen many people say they need to enable the following GPO: Computer Configuration>Addministrative Templates>System>Logon>Always wait for the network at start up and logon Note this will slow down your network login, and I'm not sure if you can login if no network is available. Test in your environment. Other times, I've seen people put some kind of delay in the boot process (I'm not sure how, but it was using a GPO, maybe third party) Mike On Wed, Apr 6, 2011 at 12:22 PM, Benjamin Stewart <bstew...@salemstate.edu<mailto:bstew...@salemstate.edu>> wrote: No, there is no connectivity until the user logs on. We assign dynamic VLANs through Radius on our Xirrus wireless arrays. I'm not sure we'd want to assign VLANs based on computer - we'd like to keep control user based. Ben From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Mike King Sent: Wednesday, April 06, 2011 11:56 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x Ben, Do you have your workstations configured to allow Computer Account logon's to wireless? (I.E., does the machine have connectivity while it's sitting at the CTRL-ALT-DEL prompt) Mike On Wed, Apr 6, 2011 at 10:24 AM, Benjamin Stewart <bstew...@salemstate.edu<mailto:bstew...@salemstate.edu>> wrote: Hi- I'm wondering if anyone has had any luck pushing an msi software deployment with Group Policy on wireless stations with 802.1x authentication - WPA2 Enterprise. Problem seems to be that the supplicant is not processed until after the user logs in to Windows. I'm assuming the delay in processing the authentication and assigning the IP address is too long, and the Group Policy Software Installation is not processed at login. Any help would be greatly appreciated. Ben ====================== Benjamin Stewart ITS - Networking Services Salem State University 71 Loring Ave Salem, MA 01970 Phone: 978-542-7142<tel:978-542-7142> Fax: 978-542-6557<tel:978-542-6557> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.