I'm at a cross roads here and I could use some help.
Our Active Directory system is setup very flat and most gpo's are at the root of the domain. We use filtering to keep them from applying to specific user and computer groups. when necessary, we will implement a different GPO in a Sub UO. We are in a school
district, so we want to filter staff and students in different ways. In this case, we have a wireless GPO that requires User Authentication in the root of the Domain.
My Network guy explains this is because aruba and radius will not see the AD authentication in time and will dump the user into the wrong(student) VLan if it doesn't have the AD credential, so we must use User Auth and not Machine Auth. Then if we
have say a room full of student machines, we create a OU, place the wireless laptops in there, create a Machine Auth GPO and add it to the folder. if its a student computer, we dont care if it gets dumped into the student vLan.
The problem with this setup is that in order to user auth into a brand new imaged machine, you have to plug into the wall to do an initial log in and cache the credentials, other wise you will never get the wireless to work. This is problematic and
inconvenient, and seems like we should not have to do this.
The desired behavior would be to have the root GPO machine auth and dump the authenticated staff members into the correct vLan.
I'm not an expert at AD, or wireless GPO authoring.
I'm not sure if trying User and Computer Auth would solve this problem, or perhaps setting the "Always wait for the network at computer startup and login" to enable.
Any advice appreciated