Network access protection 802.1x domain logon issue

Wondering if the below may help

http://technet.microsoft.com/library/cc753603(v=ws.10).aspx

The Machine Identity attribute group contains the Machine Identity attribute. With this attribute, you can specify the method with which clients are identified in the policy

Allowing unauthenticated access
If you choose to override the authentication settings that are configured in all network policies and to enable the connection request policy authentication setting Allow clients to connect without negotiating an authentication method, it is recommended that you also configure the connection request policy with the Authenticate requests on this server setting

Accept users without validating credentials. With this setting, NPS does not verify the identity of the user attempting to connect to the network and NPS does not attempt to verify that the user or computer has the right to connect to the network. When NPS is configured to allow unauthenticated access and it receives a connection request, NPS immediately sends an Access-Accept message to the RADIUS client and the user or computer is granted network access. This setting is used for some types of compulsory tunneling where the access client is tunneled before the user's credentials are authenticated.

Which method of 802.1x are you using - Computer Auth or User Auth?

if you catch this there are policy that may help

"Non­com­pli­ant-Restricted"- Failing one or more SHV checks, NPS instructs the DHCP server to offer the client an IP lease with the special NAP "restricted" scope options

"policy for backwards compatibility"- Creates a rule that allows machines that are not NAP-aware to be granted normal access to the network (given default scope options by the DHCP server). This policy should be evaluated last and only needs to be created and enabled when such machines require network access

"policy using Exempt by MAC"- Uses a condition statement where the RADIUS client property of Calling Station ID matches the MAC address of those devices that require a NAP bypass. When machine matches this policy statement, NPS will instruct DHCP to offer a lease with "normal" scope options.

http://technet.microsoft.com/en-us/magazine/2007.05.securitywatch.aspx
http://technet.microsoft.com/en-us/magazine/2008.04.cableguy.aspx

We are using user auth . According to which group vlan they are  assigned they get the ip via dhcp

Ok, if you're using User Auth the non-cached clients might not be able to log in if the authentication request can't be processed because the PC can't talk to an AD DC.

What options do we have?

Ok do you have any documentation or links that you can share this seems the right and most sensible approach? From experience is this the most preferred method to use computer auth with user auth?

As long as you are using 802.1x machine auth is needed using machine cert.  User auyh is based on eithet password or cert depending on config. As earlier mentioned in my post also in the bypass using MAC for network policy via RADIUS should be applicable

Can be handy
http://technet.microsoft.com/en-us/library/dd348494(v=ws.10)

Yep, as breadtan said, MAC auth can be used for PCs.  However it's a bit long-winded to add all the MAC addresses to AD for your machines.  If you use computer certificate you can automate the process using Autoenrolment via GPO and it's 100000 times more secure.

Craig,

Looks like the computer authentication certificate seems to be the way to go.

Just to get a better understanding in layman's terms how does the computer authentication get past the non cached profile issue?

Currently only users who leave their self logged in the office PC are able to log in via RDP on VPN.

With computer authentication, will it get around this issue also so if they don't remain logged in they can still access the PC via RDP?

Users who haven't logged in can't authenticate to a DC because the PC has no network connectivity.

If you use computer authentication you allow the PC onto the network before a user has authentciated, so it has network connectivity which is required to allow a non-cached user to authenticate to a DC prior to login.

Makes sense for me now.

Thanks for your time and help.