Colin I am finding that Enforce Machine Authentication is enabled on my 802.1x profile. The problem I have with disabling it is that the Virtual AP that is using the profile is being used on about 100 other AP Groups at sites all over the country. Disabling is would do so for my entire wireless enviorment. Could you tell me what type of consequenses this would have? Just so you know the site below is using Certificate Based Authentication with the NPS server. Im not sure how that factors in. Here's my config....
wlan virtual-ap "EmployeeX-VAP"
aaa-profile "EmployeeX-dot1x-aaa-profile"
ssid-profile "EmployeeX-802.1x-SSID-Profile"
vlan 1
forward-mode bridge
broadcast-filter all
blacklist-time 0
no mobile-ip
aaa profile "EmployeeX-dot1x-aaa-profile"
authentication-dot1x "EmployeeX-dot1x-auth-profile"
dot1x-default-role "EmployeeX-Employee-Authenticated"
dot1x-server-group "EmployeeX-Radius"
user-derivation-rules "BlacklistDevicesEmployeeX"
aaa authentication dot1x "EmployeeX-dot1x-auth-profile"
machine-authentication enable
machine-authentication machine-default-role "EmployeeX-802.1X-authd-employee"
machine-authentication user-default-role "EmployeeX-802.1X-authd-employee"
reauthentication
ap-group "ATG-Simpsonville-Indoor"
virtual-ap "Scanner-VAP"
virtual-ap "GuestWireless-VAP"
virtual-ap "EmployeeX-VAP"
dot11a-radio-profile "ARI-A-Indoor-Radio-Profile"
dot11g-radio-profile "ARI-G-Indoor-Radio-Profile"
ap-group "ATG-Simpsonville-Outdoor"
virtual-ap "ATG-Scanner-X-VAP"
virtual-ap "EmployeeX-VAP"
dot11a-radio-profile "ARI-A-Outdoor-Radio-Profile"
dot11g-radio-profile "ARI-G-Outdoor-Radio-Profile"
ap-system-profile "ARI-AP-System-Profile"