We have a business requirement to only allow corporate users to connect to the corporate wireless if they are using a corporate machine and a they are a valid corporate user. Sounds normal.
Our windows devices are set to "computer or user auth".
When the device boots and is not wired to the network, it machine auths ok, and the [machine auth] entry sits in the table.
When the device boots and is on the wired network, the wireless never kicks in - as expected.
When a user logs into a device that has booted (and been machine authed) on the wireless network, then their AD credentials are checked, and the [machine auth] and [user auth] roles are checked, and then they are allowed to connect - perfect. And when they log off again, the device goes back to [machine auth]; again - perfect.
If a user tries to use their AD credentials to logon to the wireless using a non-domain joined device (e.g. Macbook), the access is denied because there is no [machine auth] record for that device - perfect.
However....(and this is where it all falls over) IF the device boots connected to the wired network, and has not booted on the wireless network for longer than "cache-time" (or ever), then there is NO valid [machine auth] role for that device. When the user logs onto that device (on the wired network), no wireless auth is done - ok. IF the user then undocks the device, the wireless will kick in, and authenticate the user, which will be against their AD credentials, and the authentication will be ok. BUT, because there is no [machine auth] role in the cache for the device, access will be denied to the network, and the user's session will be cut off with a "no wireless access" symptom, even though the device is working fine, and if they dock the device again, the network will burst back into life.
As far as we have been able to determine, the only way to get this user's wireless to work on this device is to get them to log off the device when they undock, forcing a wireless machine authentication, and then get the user to log back in again (cue screams and wails from the end users).
Any ideas?
Ross