Hi all,
We've rolled out EAP-TLS authentication (moving away from EAP-PEAP) to our managed devices and all is working succesfully apart from one specific scenario, that is new users logging onto a laptop for the first time via wireless. A search has shown that I'm not the only one to hit this and it's pretty much a race condition with Windows not having the user cert to get on the network, to get the cert it needs to get on the network.
The SSID accepts both machine and user certificates for connection, so the observed behaviour is that Windows boots to login screen and connects using the machine cert. It then uses this to contact domain controllers to authenticate but at some point shortly after, tries to switch to the user cert, fails as that's not present and doesn't just fall back to the machine cert (because that would be far too sensible).
Of course to really confuse matters one in every three or four attempts actually works and the user cert is pulled from our AD and the machine happily switches over to using it. So definitely seems like a race condition to me.
My question is has anyone succesfully got past this? The recommendation was always to revert to EAP-PEAP but we're trying to move away from it so that's not an option. Did people find a magic windows setting? Did people use a different supplicant to the Windows one? Did they just give up and tell people to wire for their first login?
Thanks in advance,
Luke