I have been having a random problem for a while now with machine authentication with dot1x.
Our switches are configured for dot1x vlan assignment (vlan11 for authenticated users, and vlan17 for guest or failed authentication). I get calls from users randomly who get assigned IP addresses from vlan17 when they should be getting addresses from 11.
ACS failed logs report "External DB user invalid or bad password" and Windows event logs on the domain controllers confirm this.
After a little research and a few TAC cases, automatic computer account password changes in AD seem to be the culprit. What I do not understand is why this happens on desktop machines who stay plugged into the network 24/7.
Is anyone else seeing this type of activity? Is there a way to enter user credentials as a backup if the machine authentication fails?
My current workaround is disabling dot1x on the port for a day or so which gives time for the passwords to resync, but this becomes a pain.