Hi All,
Assume an MS-AD only environment, Windows 7 clients, 2008/12 R2 servers etc. Wireless security preference is for EAP-TLS, with host AND user certificates (for total visibility). Also assume cert-auto-enroll for users and hosts is happening.
In this model, consider a user logging on to a wireless-only connected laptop (host-eap-tls-auth'd, just booted). In this scenario, the default Windows (no supplicant) behaviour is to disconnect the user after the AD login, because the user hasn't enrolled on THAT laptop for a cert quickly enough. This can be resolved by jacking into the wire, and waiting for the user cert (usually provoked by another logon, or gpupdate).
Of course, this isn't a "perfect world" solution.
So, my question is whether anybody has come up with a "silver bullet" for this?
In my mind, I've toyed with a few theories, but not tried them yet. I'm curious to know if anybody has, and what success was achieved? At a raw level, I was thinking within AD, perhaps some kind of hold-off timer might work by a GPO alteration or reg-hack? Beyond that, perhaps a third party supplicant would be assistive? One that allowed a similar "hold-off-untill-cert-retrieved" feature?
Note that the customer in this scenario doesn't have much money. So supplicants would have to be cheap. And of course, something like Clearpass overlay isn't commercially viable. Also note that the AD is somewhat large, and unpredictable in terms of "how long" before AD pushes the user cert down to the host.
Thoughts?