so we have partly rolled out dot1x, but we have an issue where a user logs onto a device that they haven't previously, and it wont authenticate the user,and drops off network.
if an existing user logs back on, its fine.
we find that the user doesn't download the cert from AD and so they fail authentication.
what am i doing wrong? or is this expected behavior
we running ise 2.6, windows 10 1809
thanks in advance
machine authentication always works, because as you say, gets added when machines joins Ad, but when a new user rocks up to a laptop it fails after they log in, as they never logged in before and so there is no cert and then fails.
I believe you need to add Machine Authentication policy also which should have ACL define to allow communication between the machine and the AD.
New user dont have cached account in the computer and computer need to communicate with the AD Server. Without Machine authentication policy, when user logged out, machine will keep getting authentication failed and getting deny only policy which is restricting your computer communication with AD for new user.