I work in an enterprise environment with several thousand users, and am looking to get some information as to whether User or Machine based authentication, for wireless access to our internal network, is the best choice.

Some background first: 

We have several thousand users, with close to 1,000 mobile devices (laptops and tablets) running either Windows 7 or Windows 8.1.  We have a Radius server currently configured to use User-based authentication with our Active Directory environment.  We currently manage these devices, while on network, with SCCM 2012.  We lack some management capabilities with the current configuration, for instance deploying packages while no user is logged in.

What I am trying to piece together is what type of experience others have had with these two options, in production in their environments.  Have you experienced problems with one way, but not the other?  Have you seen performance, or other effeciency or stability improvements, with one method over the other?

Any information that can be contributed would be greatly appreciated.

itmlimb,

We use both and here is why:

Machine authentication, this is great for laptops and devices that can be joined to the domain, before the user logs on, the machine is able to connect to the WiFi so they can be authenticated to the domain.

User Authentication is good for devices which can not be joined to the domain (BYOD) such as iPads, iPhones, Smart Phones, Tablets, etc.  They can be connected to the WiFi using domain credentials.

With that said, if you want to limit the machines that can connect to your WiFi and every device is able to connect to the domain and have a domain account I would use the Machine Authentication.  This then will not allow someone to bring a device in and connect it to the Domain without first getting it connected and approved.

I hope that helps out your decision making process.