Do you have this issue if you leave computer and user but uncheck Single Sign On?
As far as I know, Single Sign-on is an alternative to machine authentication. I don't think it is designed to be used with it. By default, Windows will switch to user authentication at the desktop. Single sign allows the users credentials to be used to authenticate and contact AD vs machine auth which uses the computers account to contact AD. Tim *Tim Cappalli* | ACCP / ACMP / CCNA Wireless Engineer | Brandeis University [email protected] | (617) 701-7149 *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: [email protected]] *On Behalf Of *John Kaftan *Sent:* Friday, February 7, 2014 4:05 PM *To:* [email protected] *Subject:* [WIRELESS-LAN] Strange 802.1x behavior with single signon We have a number of laptops that are mobile labs (Tanks) and in the library for students to check out. We push the 802.1x settings via AD and it works very well. The problem we have run into is that when we have login set to 'user or computer' and check single sign-on it comes up and logs into the network using the computer name just fine. But then when the user logs in it immediately authenticates 802.1x as the user and then proceeds to churn until ultimately failing with "No logon servers found". The strangest thing about this is that packet captures reveal that while the machine is churning it is sending out ARPs for its gateway. The gateway replies but the client ignores it. It does this 30-40 times before giving up. If the user has logged onto the machine before they will get on with cached credentials and they will be fine, other than being grumpy over how long it takes to get on. If they have never logged on before they will get the dreaded "No logon servers found" Doing a 'ARP -a' at the command line reveals the gateway address is listed and the machine is able to browse just fine. I don't think this is a wireless\policy issue as I set up the client to get our IT_Admins profile no matter what and also after the client finally stops asking for the gateway's mac address everything is fine. Our work around is to just set it to Computer authentication only. This is a bummer because we lose visibility as well as the ability to apply user based profiles. -- John Kaftan IT Infrastructure Manager Utica College ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
