I realize this is "mostly" a windows client issue but figured this was a better target group to ask than random users who can't connect to their home WiFi.
We are using Onboarding to provision certificates and configure wireless for EAP-TLS authentication.
For many clients the process works perfectly and they are off an running just fine connected to our internal wireless.
But for some (not sure of commonality), the provisioning process completes just fine but once they are done and connected to our internal network SSID they show that they are "connected, no internet". Disconnecting and reconnecting to that SSID doesn't change anything. Rebooting the machine doesn't change anything. "Forgetting" that SSID sends them back into the onboard process which completes fine but they end up with "connected, no internet".
Clearpass shows that they authenticate with EAP-TLS just fine, they get all the appropriate roles and enforcement profiles. They end up on the correct VLAN with correct IP address, DNS, gateway, etc....
Network firewall logs show that the only thing leaving their local network is ICMP traffic from thier host. The can resolve IPs and ping hosts by name or IP, but browsing and other network activity fails.
If I open a command prompt to check local settings with "ipconfig /all" it takes a LONG time to return results, which tells me something isn't healthy.
We have found one thing that works reliably to get them out of this state but would like to solve the root cause of the problem.
If a user in this "connected, no internet" state decides to connect to another SSID we are offering for guest or BYOD and then goes back to connect to our internal SSID then the internal SSID works fine and they are "connected, internet access". Problem solved, but hardly elegant.
Obviously something in the act of connecting to another SSID and reconnecting to the original shakes something loose that is causing issues but what and why? Whatever is being remembered by the local client after numerous failed attempts to connect that SSID successfully survives a reboot and even reprovisioning. But connecting to a different SSID clears out whatever is causing the problem.
Has anyone else run into this behaviour? Any ideas how to avoid it? Is there a command we could have users run after provisioing is done that would mimic what happens when they connect to a different SSID to accomplish the semi-reset that seems to happen? Something that wouldn't wipe out other important settings and that an unprivileged user can run?
It seems to be more common on laptops that connect to our network using both wired and wireless, but not all clients that do that show this behaviour.