Hello guys,
I have a question regarding EAP-TLS authentication in windows 7.
We have students connecting to our network with domain computers.
Sometimes, the teachers for different reasons wants to block the students Internet connection.
The teachers has a web-interface where they can choose which students/class they want to block, and then they are moved to an active directory group (“CLOSE-INTERNET”). Today we achieve this with a proxy server and active directory, where all clients has to authenticate with their domain credentials.
Now we want to move away from using a proxy, and make aruba clearpass and aruba mobility controller do this job.
To achieve this, we have configured the student computers to authenticate with 802.1x “User or computer authentication”, and we are deploying machine and user certificates through group policy and a windows certificate authority server. This way we can see which user is logged on the computer on the AMC, and the computer endpoint has the correct username attribute in clearpass. So far so good.
After testing this for a while, I see that users that logs on the computer for the first time gets disconnected from the network after logging into windows. I was thinking the user certificate was deployed when the user was logging on to windows, but this does not work. The computer gets online after it boots up, some seconds after the user has typed in the credentials and pushed enter (using the machine certificate), then it suddenly drops the connection, because the group policy is set to switch to user certificate.
Has anyone else experienced this problem, and solved it? Is it even possible?
Does anyone have a workaround?
I know it will work if we put the pc on a non 802.1x switchport, and have the user log on, but with over 10000 students and very few switchports, that is not a good enough solution.
I appreciate any help on this!