Hey folks!

I have the following setup:

Laptop connects to wireless via WLC using Cisco Anyconnect client.  (WPA2 Enterprise AES,  with 802.1x configuration password/EAP-FAST)

WLC authenticates user ID via ACS.

ACS queries AD for user ID and passes or fails.

Occasionally, we have a user that cannot login, no matter what laptop he/she uses.

ACS failed attempts log shows the following:

EAP-FAST user was provisioned with new PAC

The only fix we've found is to create a new instance of the same SSID and have them login using that.

Once they trust the server cert, they can login to any laptop.

I assume it's because they "accidentally" chose to not trust the server certificate.  They always tell me they didn't do it  :)~

My question is this.  Why does that "accident" follow them from laptop to laptop?

Also, is there an easier fix than having them create an entirely new wireless connection in the AnyConnect client?

Thanks!

Ven