customer has a wireless solution consisting of a AIR-WLC4402-50-K9 with software 126.96.36.199, several AIR-LAP1131AG-E-K9 Access Points , Cisco ACS 4.0, Windows 2003 Active Directory and a Microsoft CA.
WLC & ACS are configured for PEAP(MS-CHAPv2) plus machine authentication on acs.
on wlan-clients (mostly centrino-notebooks) this security solution configured with windows configuration service works fine...host AND user (both!) must successfully authenticate themselves against acs to gain access.
but with intel wireless proset-software version 11.1 it's enough to successfully authenticate as host OR user (not both!). this looks like a bug and is a really heavy security hole.
Microsoft PEAP clients also initiate machine authentication whenever a user logs off. This prepares the network connection for the next user login. Microsoft PEAP clients may also initiate machine authentication when a user has selected to shutdown or restart the computer rather than just logging off. Refer URL