Hi All,
I recently enabled machine authentication enforcement to keep guest users off of our corporate SSID. Machines get dropped into an appropriate role when they boot, and switch over to a user role when someone logs in... If users log in to a device that doesn't exist in AD they get dropped into a 3rd role.
The problem I'm having is with devices logging in that don't exist in AD. These devices are getting placed into the role defined as the "Machine Authentication: Default User Role" even though I've defined conditions under the radius server group that should place them into a specific role.
Here's part of the debug log
Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=TestIAS
Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 IP=0.0.0.0 Derived role 'COWS' from server rules: server-group=sg-auth-dot1x, authentication=8021x-User
Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 def_vlan 1 derive vlan: 0 auth_type 11 auth_subtype 11
Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 Station authenticated: method=8021x-User, role=BYOD, VLAN=1/1/0
Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 def_vlan 1 derive vlan: 0 auth_type 11 auth_subtype 11
Jan 5 11:17:26 authmgr MAC=00:12:f0:13:b8:e7 Station authenticated: method=8021x-User, role=BYOD, VLAN=1/1/0
If I'm reading this right, the machine authenticates, gets the roll of COWS (which is what I want), then is switched into BYOD.
What might be going on here?
Thanks