Community,
I have the "Enforce Machine Auth" setting enabled for one of my WLANs, with my Windows NPS scenario as follows:
-Policy 1 handles the machine authentication portion. When the machine boots up, it sends an 802.1x "machine" request, If the machine is found in Active Directory, the NPS RADIUS will send an "authenticated/allow access" message back satisfying the "enforce machine auth" requirement.
-Policy 2 handles the user auth portion. When the user enters their username/password, the windows machine will switch the 802.1x "state" from Machine to User Auth and it will then send a user auth, this policy will see that the user is in AD and send an "authenticated/allow" message as well as send some other RADIUS parameters (VLAN ID).
This is working well for windows domain machines but what im noticing is that when I try to connect a non domain machine like my cell phone, even with enforce machine auth enabled, my phone is still able to connect to the wlan. I thought enforcing machine auth was supposed to prevent devices who dont have a valid machine auth from connecting altogether? Am I misunderstanding how machine auth works? When I look at the client connections on the controller the cell phone has a state of 802.1x-User. I am noticing however that the cell phone is not getting an IP address so in essence its not able to traverse our network but my concern is that the controller is still allowing it to connect to the SSID even without a valid machine auth. My company does not want non domain machine connecting to our 802.1x enabled SSID. Any suggestions? Thanks.