Security

I have an SSID that uses PEAP/MSCHAPv2 to authenticate users and machines against AD. Via GPO, we have configured all corporate devices for 'User or Machine authentication' and only allow users that have also been machine authenticated. So far so good.

New requirements:

1) Allow domain devices with local accounts logged in. These devices continually authenticate with local creds that are not in AD and are rejected. Even if I set a policy to allow these devices on via an attribute that I set, they still get login status REJECT even though the enforcement profile is "[Allow Access Profile]". Am I mixing up authentication with authorization? Any way to have just an endpoint attribute allow a device on the network?

2) Allow devices that are not even domain devices (iPads) but may have valid users. Similar situation as above.

If it helps, I'm working with Aruba APs and 3600/72xx controllers. Thanks for any tips/advice.

With 802.1X, authentication must pass before moving on to authorization. Unfortunately the situation you're referencing is common and is a limitation with in the Computer + User logic in the Windows supplicant.

The only real options for any of these scenarios is to move away from the legacy PEAPv0/EAP-MSCHAPv2 and move over to EAP-TLS where you can build trust boundaries and move away from the legacy password construct.

That is confirmation of what I suspected, not what I wanted to hear but what I needed to hear. Thanks Tim.