Wireless Authentication

This last year I upgraded our systems from a completely wired network to a roaming wireless network. I chose to go with the HP Procurve products as they fulfilled the organizational needs and were quite cheaper than the Cisco counterparts. Setting up the wireless infrastructure required mapping out locations to plan for optimal wireless crossover when roaming AP’s, and also it helped plan the wireless channel use. I also ran active tests in the locations where wireless would be installed to sniff out other wireless networks to ensure that we did not overlap channels.
Once the units were installed, I worked with the units to create signals that corresponded to our RADUIS servers at each location, and set the RADUIS servers to authenticate with the highest level of encryption based of AD.
This worked really well, users were popping right on the wireless as soon as the group policies were applied. Throw away the network cables right?
not so quick.
An important, yet overlooked point is WHAT credentials to use for authentication. If you just authenticate the wireless off the user account, then two things happen:

1) If the user changes their password from webmail or remotely somehow, they will not be able to authenticate wirelessly on their machine.
Example: The user leaves the office on Friday, and their password expires on Saturday. Sunday, they login to some EWS application and change their password based on the requirements. Monday they come in to use their computer (that has no LAN connection) and they cannot login due to the fact that their cached password differs from the password on the server- the user logs in (not connected, with a cached password) and the cached password is rejected by the RADUIS because of the change over the weekend.

2) If you have machines in a wireless only environment, users that do not have prechached credentials cannot login.
Example: We have loaner machines that we use if a users main machine needs service/etc. In a user authenticated environment, the user cannot login to a machine that does not have their credentials precached, the solution is to use a LAN connection for the initial signin, then when the wireless connects based on their user account, unplug the LAN.

Obviously there are some major problems with a wireless network that ONLY uses AD username/password for credential checking.
The solution is that with WEP2 you can also authenticate off of a set of AD computer OU’s. This means that the machine will connect to the wireless network whether a user is logged in or not. At this point a user can log into the domain joined OU specific machine and work away.
This solves these two issues described above. We set ours to authenticate off of a user or computer, preferring a computer connection. This way users with smartphones/etc can authenticate even though the devices don’t have prestaged network accounts.