10-27-2015 05:41 AM
A while back I set up a service that does machine based authentication against our AD service. This was so that we could use dynamic vlans on our switches to put a windoze device into one vlan when no-one is logged into it and into another based upon the user credentials via the login dialogue box. Part of the service selection was that the NAS-Port-Type was set to ethernet (15)
We then had a requirement for managed image laptops to perform machine based auth to get onto our wireless lan. As the only difference between an ethernet auth and a wireless auth is the value of the NAS-Port-Type attribute ( wireless 802.11=19) I modified my selection service to include NAS-Port-Type BELONGS_TO (Ethernet(15),Wireless 802.11(19)) See attached image
The problem was that it didn't work for wireless. The wired machine auth still worked, but the wireless version skipped this service and was caught by my "deny all" service at the end of the list.
I then dupolicated the above service but replaced the NAS-Port-Type..... line with an NAS-Port-Type EQUALS Wireless-802.11(19) and a machine auth for wirless access worked.
So why did the shown config above not work?