Subject: Machine Authentication with Cisco Wireless controller 4402 and Microsoft IAS as Radius Server not happening. Components Used: · Cisco WLAN Controller 4400 · Cisco 1131A/G Light weight Access Points · Authentication Type as 802.1X · EAP Type as Smartcard and other Certificates · Microsoft IAS for Radius Authentication · Microsoft Enterprise CA for Machine and User Certificates · Windows 2003 Enterprise Server Edition for Active Directory and CA · Microsoft XP client pc with service pack 3 We have a cisco Wlan controller 4402 with Cisco 1131A/G light weight Access Points. We want to do 802.1x authentication for all the Wireless Users. We are using Microsoft IAS for Radius authentication. We have created an Enterprise CA for issuing Machine and User Certificates with autoenroll configured in Windows wireless Group for Wireless Computers and Wireless Users. We have also published a server certificate for Microsoft IAS with EAP type as Smartcard and other Certificates. Procedure: · We have created a separate wireless group for wireless computers and users · We have enabled autoenroll computer certificates and user certificates for this group · We have created a Remote Access Policy in Microsoft IAS with the wireless group added in it. Everything works fine, when a valid domain computer boots it is issued a Machine certificate before the logon screen and is granted access and when the user logs on to the computer with a valid wireless user he gets a user certificate and connects to the wireless network. Problem: When we remove the computer/machine which has already been issued a computer certificate and user certificate from the authorized wireless group, the radius server logs shows the user has been denied access, but when the user logs on through cached credentials he is able to connect to the wireless network. So the thing is though the computer is denied access as per the Microsoft IAS Logs, he is able to connect to the wireless network through the cached logon. So the user credentials supersede the machine credentials. What we want? If Machine authentication fails, user authentication though valid should be denied access to the wireless network.

Hi Customer, You could configure 802.1x wireless group policy computer authentication to Computer only. It is recommended that you select With user re-authentication. When this option is selected, authentication is performed by using the computer credentials when users are not logged on to the computer. After a user logs on to the computer, authentication is performed by using the user credentials. When a user logs off of the computer, authentication is performed by using the computer credentials.1 Configuring Wireless Network Policies http://technet.microsoft.com/en-us/library/cc776078(WS.10).aspxRegards, Rick Tan