There are no GPO parameters that can stop 1X from working. If you disconnect/reconnect to the domain, this is probably refreshing something that's stale on AD. 802.1X is the victim here. Mind you, network access is not there, but this sounds like a supplicant problem.
From the log snippet, looks like the machine's password is aged out. And you mentioned you were doing machine-auth only.
For Active Directory by default, the machine password that the client receives from AD
expires every 30 days. When this happens - the machine can not get authenticated and there is no provision for the machine password to be regenerated over the EAP session between the client and Domain Controller. It's just broken and network access is denied.
There is a bug with regard to how NETLOGON interacts with MS-CHAP. The system simply fails to allow the expired machine password
to be regenerated as is the case with User Authentication. AFAIK, there's no fix for this .. even in Vista.
So for customers just trying to do MSFT Machine Authentication without
User Authentication as fallback - it's not really a workable solution unfortunately.
Hope this helps,
P.s. Can you try to enable user-auth to confirm this?
We doing an Machine authentication only because is work fine under Windows XP and don't prevent GPO application on the login or other thinks...
we work on this type of architecture under 3 workstations since few month without problems
we change a parameters on User Account that permit to prepare laptop ( parameter : Store password using reversible encryption) and it's seem to solve the problem for newly install laptop. I will test more when I have new Laptop.
Sorry but I can't enable User authentication on the network for production reason
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :