I'm building 802.1x for wired authentication in a Cisco environment. For machines already joined to the domain, with an established user account (cert) on the machine, everything works great. The machine is placed in the correct VLAN for the user, based on role.
If I connect a domain-joined machine before logging in, machine authentication works, and the port is placed in the correct access VLAN. If a new user without a local profile and cert then tries to log in, it can't contact the domain to build the new user profile.
We have a lot of DC's, so I'd rather not add them all to the default port ACL in the switchports. Is there a document that covers allowing machine-authenticated computers to communicate with AD to build the profile, and then (I would assume) cause a re-auth in 802.1x?