We are working on this for a few of our laptop lab environments as well. We do have the requirement to allow users to log in against AD for the first time. Machine auth is currently out as we've offloaded EAP from NPS to the controllers and my understanding is that this will not allow for machine based auth.
I've got it working most of the time, with the exception of the occasional login attempt failure due to no available DCs (normally right after boot), but a subsequent login attempt works just fine. I'm just bothered that it claims not to connect to the SSID but does seconds later. Is anyone else seeing this behavior?
I have also tried enabling the local security/gp: "Always wait for the network at computer startup and logon" which seems to not make much sense.
Admittedly, I've found there are some known issues with this approach on Win 7 - I am curious if there are other things we've missed and/or solutions others have found to the issues below:
-Immediately after Ctrl-alt-Del, you'll get prompted to select "Other user", which is a seemingly unnecesary step.
-There will be implications to Computer Level GPOs being applied. If the machine isn't connect to the network on boot, it may take some time and reboots to recieve the GPO and subsequently apply computer level settings.
-Occasional reported 'miss'/no DC error connecteting to wireless on first attempt
On the other hand:
-As pointed out, the only people getting onto the network and assigned a role are authenticated users.
-You don't have clients that have been powered on but not in use connected to your network and/or using spectrum.
This is one of the better written articles I've found:
http://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx
I am curious to hear about the experiences of others taking the 802.1x with NPS and windows 7 single sign on approach.