Security

I'm trying to setup 802.1x authentication via ClearPass.  I have "enforce machine authentication" setup on the controller and all the "termination" settings unchecked to let the request go to the backend ClearPass Radius server.  When I boot my laptops (trying on multiple), they sit at the log in screen with the wireless adaptor enabled, but I'm not seeing any hits against the ClearPass for machine authentication.  If I then log into the pc's, I'm able to authenticate the wireless with user authentication via EAP-TLS with an internal cert fine.  Even if the machine authentication were failing, wouldn't I still see hits on the ClearPass Access Tracker screen?

Turn off enforce machine auth on the controlle and use the machine authenticated role in the enforcement policy 

One other thing that you can check is that the wireless profile for your secure SSID is loaded for all users and not just the current user.

You can check this using the following command

netsh wlan show profiles

 The wireless profile should be listed for "All User Profile"

If the SSID profile is loaded for current user then the machine will never attempt to auth. when on the ctrl-alt-delete screen - At least in my experience.

Ok, tried after removing the "enforce machine authentication" check off the controller itself.  Rebooted both testing laptops.  I'm not seeing any hits against clearpass.  

The SSID is showing up as listed for All User Profile.  It's the top profile listed as well.  Would there possibly be another setting on the PC that I'm missing that would cause it to not try and do the machine authentication over wireless?

Check that your profile is setup so that your device will connect to it automatically. And make sure that you do not have any competing wireless profiles that are set to connect automatically that are in range. It is possible that another SSID is taking precedence. So your device is connecting, but to the wrong SSID.

Also make sure that in your wireless profile it is set to use User or computer authentication.

This can be found under the [profile name] Wireless Network Properties > Security > Advanced Settings

I've deleted all the other wireless profiles.  The one in particular is set to automatically connect when in range.  The security option is set for "User or Computer Authentication".  I currently have SSO disabled as I won't be switching vlans, just roles given.  The wireless adaptor is enabled.  Even if the authentication was failing, I would think that ClearPass should be showing a failure in the Access Tracker right?  I'm starting to wonder if this is more of a Microsoft problem?  Has anyone else seen this issue before?

Yes you would see the request hitting the CPPM and failing. If you are seeing nothing then it means that the machine isn't attempting to authenticate. Do you know if the machine is able to get an IP?

If you check on the contoller do you see it connected? It could be that int he machine role you are assigning, it doesn't have access to the CPPM.

I don't think it's getting an IP as I'm not able to ping the pc name.  I tried changing the Initial AAA role to fully authenticated (basically full access).  Rebooted the laptop.  Still not seeing any hits on clearpass.  

Hmm that is really strange.

It sounds like everything you have setup is correct.

Since you are not getting anything in the Access Tracker it would suggest that the computer isn't even attempting to connect.

I will go through the configs on one of our laptops and make sure there isn't anything obvious we've missed.

For the wireless profile under security... is the authentication method set for Microsoft: Smart Card or other certiciate?

If so, I have done a test and noticed that the machine will not attempt to do machine auth with this setting.

If you set it to Microsoft: Protected EAP (PEAP) then it will. This doesn't sound like what you want though.

I haven't done very much testing with using a certificate and machine auth.

I think I might've figured it out.  I switched over to peap to troubleshoot and it started doing machine authentication.  So I'm thinking there's a problem with the machine cert.  

Thanks for everyone's responses!