We are deploying ISE and connecting to the company's WiFi using a "machine" login (active directory laptop) works fine on Windows 7 or 8 - both wired and wireless. But, here is a scenario that I can't seem to find a good answer for. All my searches result in answers for corporate wifi; but not what I need.
So, an employee checks out a laptop to use on a trip. It has AnyConnect 4.0.x VPN and NAM installed (SBL - GINA needs to be added). Windows 8 allows a user who has never used a Win8 laptop to connect to WiFi and authenticate before attempting to login and get their desktop. If the Win 7 or 8 laptop is connecting to a corporate AP, ISE automatically authenticates the "machine" so when they enter their user credentials, they will be logging into the Windows domain (GPO's, drive mappings, etc.). Once a Windows 7 laptop has been authenticated with ISE, it doesn't matter which user logs in, the device will already have a connection. Essentially, the user does not have to log in while within the corporate network in order to get their profile created (locally cached credentials).
But, what if the user has no local profile and tries to use a Windows 7 laptop from their home? They need to be able to connect and authenticate to their home WiFi before AnyConnect can automatically bring up the VPN tunnel. The GINA module will do an SBL for a VPN connection but that's not going to work if they don't have a WiFi connection. This scenario is possible in my environment.
So, can AnyConnect GINA also manage a WiFi login before a user tries to get to a desktop for the first time?
The perfect scenario would be where we hand out emergency laptops to first time users, they connect to whatever WiFi they have access to (non-corporate), the VPN tunnel comes up and when they login, they login into the Windows domain, not locally.