We just completed phase 1 on an Aruba Instant install for a school district at three different schools. We are enforcing machine authentication, but having issues with machines taking a long time to login to Windows. We currently have two roles under the "enforce machine authentication" - a "mach_rest" and "user_rest" role. The idea being if a client machine Auths, OR user auths only they would get the appropriate role. A client that machines AND user auths gets the full unrestricted role for that SSID. The problem we are having is the clients re getting stuck in the "mach_rest". Sometimes they authenticate fully, but it takes a long time. The only solution is to open the firewall rules on the "mach_rest" role and then clients authenticate quickly with no issues. At this point we have "allow all" to the domain controllers on the "mach_rest" role, but that is not a good solution. I would like to lock it down at least to specific ports, but the research we've done opening the ports used for Windows authentication still don't work very well. I've never really experienced this on the controllers this seems to be something with Instant. So, help I guess! :-)