We've rolled out 802.x auth to our wired clients and setup Windows NPS policies to determine what VLAN's the connected port is placed into by using attribute 203 and the string name of the VLAN.
This works very well so far, but I just stumbled over a special case that is making life difficult.
Normally the ports end up in TRUST or VOICE (or a combination for pass-trhu) for authenticated users/devices. Or they end up in GUEST if they are unable to authenticate.
My problem is that I need a SPECIAL VLAN for certain machines. The problem relates not to the machine, but to the user. The machine matches an NPS policy that puts the port into the SPECIAL VLAN. But as soon as the user authenticates the NPS puts the port into the TRUST VLAN
Ideally I'd like to see a computer AND user authentication, but I understand MS NPS can't do that as the authentication process from the switch only sends one type of authentication computer OR user.
I then wondered if there was a way NPS could return a "Don't change the VLAN" message in the RADIUS attribute? That way the computer could authenticate, be placed into the SPECIAL VLAN and when the user authenticates the message is just simply authenticated.
What actually happens if I don't return the 203 attribute is the port returns to the AuthVLAN.
Has anyone got any ideas on either a computer AND user or a no change scenario?