I’ve recently used CTA 2.1 with the 802.1x supplement, first the machine would authenticate upon boot up and then when the user logged in they would be re-authenticated and any particular user settings would be applied. This was all evident in the ACS logs. However it seems when using native 802.1x on an XP machine with no CTA, first the machine authenticates but when the user logs in there is no re-authentication of the user. If I shutdown or disconnect the connected switch port and enable or reconnect it then the ACS logs show the user authentication taking place. Well I soon found out that if you want dual authentications (machine & user on log in) like it seemed to do with the 802.1x CTA you’ll need to enable EAPOL-Starts on the machine.