Hello!
Use case is that only certain domain computers should be allowed onto the network when logged out. Just honoring the request - not sure I agree with the need.
What works for PEAP doesn't seem to work for TEAP. Yes it shows success on TEAP Method-1 (machine, giving the TEAP-MachineAuth Role below), but I cannot then also check a Security Group for computer membership. Seems as though even a blank, failed Method-2 (user) is what is passed for authorization and errors out or simply does not match. I even tried to cull that scenario out by checking that a Method-2 user even NOT_EXISTS, but that doesn't seem to ever match a blank, either.
I found an article suggesting adding a Source parameter called Machine memberOf, but that did not help.
Is there a way to selectively check AD for Method-1 ID alone?
Thanks!
------------------------------
Gary Hahn
------------------------------