I have an SSID that uses PEAP/MSCHAPv2 to authenticate users and machines against AD. Via GPO, we have configured all corporate devices for 'User or Machine authentication' and only allow users that have also been machine authenticated. So far so good.
New requirements:
1) Allow domain devices with local accounts logged in. These devices continually authenticate with local creds that are not in AD and are rejected. Even if I set a policy to allow these devices on via an attribute that I set, they still get login status REJECT even though the enforcement profile is "[Allow Access Profile]". Am I mixing up authentication with authorization? Any way to have just an endpoint attribute allow a device on the network?
2) Allow devices that are not even domain devices (iPads) but may have valid users. Similar situation as above.
If it helps, I'm working with Aruba APs and 3600/72xx controllers. Thanks for any tips/advice.