First of all is anyone using wired 802.1x Authentication successfully with NAC? My goal is to have 802.1x be my first auth choice and Mac auth second and then use AD to push 802.1x settings to machines that are members of the domain. All other machines would likely authenticate via Mac auth. I have it set for user or computer authentication in the supplicant so when the computer first connects it authenticates as a computer and then flips to user auth when the user logs in. Then I can assign policy based on who the user is rather than based on the computer with Mac auth.
I have this all working......sort of. The problem I have is that periodically the computer flips into Mac auth after the user is logged in and has their profile. This is seemingly random. So the user is going along with their special profile and suddenly they get "Computer", which is what they get with Mac auth, and then they cannot get to whatever they need and they call me.
When I take a packet capture and trigger a reauth from NAC I see that the switch and NAC are exchanging up to 11 Access-Requests\Challenges pair per client before NAC finally issues an Accept with the filterID. So far I only have one capture during the moment when a client flips from 802.1x auth to Mac auth. I see no associated RADIUS packet between NAC and the switch when that happens. So I cannot see how this is happening unless the switch is just changing that without talking to NAC. That should never happen.
At this point I'm pretty discouraged with 802.1x. I am thinking I am adding too much complexity to the process of a basic connection. If I roll this out over the whole campus there is any number of things that can bite me, the supplicant, the switch, NAC any time I upgrade anything I will be super nervous.
So is anybody else using 802.1x on wired as the primary way your users connect and if so are you able to get it stable? Also does anyone have any idea what is going on with my network?