Wireless Access

We currently do EAP-PEAP with CPPM and things work well. We have a few machines (Macs) that we want to do EAP-TLS for machine auth since they are shared access and we need them to be connected at the login window. We've set up ADCS with a CA and manage the certificate process using JAMF and the machine gets the cert OK and we can let it on the network using CPPM. What I'd like to do is separate access for student and employee machines into different VLANs based on something like OU. I've been unable to make this work and I've searched and found threads on here. What (I think) my problem is, is that the authentication request is showing up as a user instead of machine and there's no UserDN (see screenshot). If CPPM saw the UserDN, the OU would be listed and I could set up my rules accordingly. I'm hoping it's something silly that I'm missing, TIA!

Why not seperate it by student and employee user as opposed to machine so that they have their proper access based on where they are logged in and not the device itself? 

If you still want to do machine-based, can you confirm which certificates are being issued - you can do machine and user certs and then you should be able to choose which one to use for authentication. 

You don't need UserDN to do your logic, you can also use MemberOf, which includes "Students" in your attachment. I assume employees would have something similar.

That's ideally how we would do it, but unfortunately it doesn't seem like it's possible to get a Mac to do user-auth at the login window. In our experience, a new user on a machine needs to hit enter twice at the login window after putting in their credentials. Once seems to get it signed into wifi as them, and the next one logs them into their user account with network home folder.

The weird thing about the screenshot I posted is that nobody is logging into the machine so I'm not sure where it's pulling that user from.

I confirmed that the AD certificate request is using the "machine" template and not user. I figured out why it had that user listed too. We're importing endpoints from JAMF, and that was the last user we logged in as while testing. If I delete the endpoint, the request comes in without the username, but it still doesn't list a userDN for the machine. What am I missing?

Can you share the access tracker entry ?

Isn't possible to match specific information in the certificate, like Certificate:Subject-CN to determine if it is a machine or a user?

edited

So I ended up figuring out what was wrong. I needed to edit my wireless network configuration profile to have the username in the format "DOMAIN\$COMPUTERNAME$" in order for CPPM to see it as a machine auth attempt and look up the computer in AD. The trailing $ was the one that finally got it working.