We get our laptops built at Dell and then shipped directly to the user. The computer will have a computer certificate issued through group policy when it is domain joined but it won't have a user certificate as the user has never logged on. There is an requirement that the user might never log on initially on a wired connection. Our preferred choice of authentication is EAP-TLS which connects and authenticates on wireless flawlessly but we have an issue when it comes to initial user authentication over wireless, as there is no user certificate to build the EAP tunnel.
We use Windows Single sign on which allows enough time for the users details to be pulled from AD but then the network drops to reauthenticate on the user connection before group policy gets to pull the user certificate from our internal PKI.
I have tried having a second SSID restricted to Active Directory authentication only using MSHAPv2, for the user to fall back onto after failing on the EAP-TLS network, so that the user account pulls a certificate but…. There is no way to kick off group policy without a manual script/intervention after connecting, as it has already failed on the initial EAP-TLS connection attempt.
Do we have a solution to the issue below without customer buying AnyConnect for every single laptop ?
Many thanks for your input in advance.