Hi Folks,
I'm having an issue with 802.1x, Windows Server 2008 R2 NPS, and Windows 7 Clients. I am attempting to deploy two WLANs, one for student use and one for staff use. The Network Policies are both configured the same, with access to the Staff SSID requiring membership in the Domain\Staff group and the Student SSID requiring membership in the Domain\Students group (I'm using Called Station ID to associate the network policies with the appropriate SSID).
The SSIDs are each utilizing the same authentication methods and are configured identically in my GPO (computer - windows settings - Security Settings - Wireless Network (IEEE 802.3) Policies.
The issue is as follows:
If the "Student" SSID is listed first in the list under "Connect to available networks in the order of profiles listed below" (and appears in the windows login as "Windows will attempt to connect to Student") then students can login and they connect as expected. However, "Staff" members, who are NOT authorized for the "Student" network, get a "unable to connect to Student, logging on..." message quickly followed by "There are currently no logon servers available to service the logon request." If move the Staff SSID to the top of the list, it appears in the windows login screen as "Windows will attempt to connect to Staff." Now Members of the Staff group can login but Student users now receive a "unable to connect to Staff, logging on..." message quickly followed by "There are currently no logon servers available to service the logon request."
Users with cached credentials can login as SSO is enabled, but I need "new" users to be able to authenticate and connect to the appropriate network. It appears to me that the credentials are never passed after the user is denied access to
the first SSID on the list. What am I missing?
