[EXT] Re: 802.1X - ldap AND users file

[Brian Julin]

Cedric Delaunay <cedric.delaunay at insa-rennes.f/r> wrote:

> That's what Brian expected :( => server is ok but client don't
> Any other way to reach my goal ?

I don't know if this satisfies all your needs but if you create another username with a
password that does not change a lot, you could set it up as an "All User" profile on that
Windows machine such that the machine is using it essentially as a machine account,
and remove any WiFi profiles that use the user account with the password that changes a lot.

That account would be used only for WiFi not other SSO needs.

However given what Microsoft is doing with Credential Guard and MCHAP, setting
an MSCHAPv2 account up like this could get mucked up by that.  If you set up
an EAP-TLS or EAP-TTLS-PAP account as an "All User" you might be safer.
That would require offering the second EAP method as a second fallback during
EAP negotiation.  For this specific host that could cause blips during roaming,
but as long as the special EAP type is run as the second option the rest of the
fleet will pick the first option and will not notice.