Hey,
Details:
SSID is using 802.1x auth.
Currently testing with laptops joined to an AD domain that are authenticating using PEAP and MSCHAPv2.
After learning about how the "Profiler" feature works that is available under Services I implemented it into a test Service.
I do a Role Mapping to identify which Endpoints have not been profiled:
(Authorization:[Endpoints Repository]:IsProfiled NOT_EXISTS )
I then have a rule in my Enforcement Policy that looks for this role and if it is found the machine is placed into a restricted role that gives access to get an IP address.
The Profiler feature then kicks in and sends the CoA back to the controller and forces the disconnect.
The machine then tries to reconnect and is processed by the same Enforcement Policy but a different Enforcement Profile is applied. One of the profiles that gets applied is one that writes an attribute back into the Endpoints database for the particular Endpoint indicating that it is a "corporate" device. It basically means that it has succesfully completed a machine auth at some point.
Where I get into trouble is when a user is signed in.
If I sign in on a laptop, then go into the Endpoints database and delete the profiled Endpoint, then manually disconnect and reconnect myself to the WiFi the same process that happens with the machine account happens except that the attribute indicating that this is a coporate device never gets written into the Endpoints database. This only happens during machine auth. So the user is never able to authenticate as I map a role based on that attribute and it is required for when user authentication is happening.
I was thinking that to deal with this scenario I could place the user into a restricted role with a captive portal associate with it. I could then tell the user they need to sign off. This would allow the machine authentication to happen and the whole process to work.
Is there another way of handling this? Perhaps I have over thought the situation.
I initially started out trying to get devices that have never connected to our wireless network profiled properly before being allowed to get full access the network. It has gotten a little more complicated as I think about the different scenarios.
Thank you,
Cheers