I suppose that is pretty clearly described in Instant UG:
Enforce Machine Authentication— You can assign different rights to clients based on whether their
hardware device supports machine authentication. Machine Authentication is only supported on
Windows devices, so this can be used to distinguish between Windows devices and other devices such
as iPads.
- Machine Auth only role - This indicates a Windows machine with no user logged in. The device supports machine authentication and has a valid RADIUS account, but a user has not yet logged in and authenticated.
- User Auth only role - This indicates a known user or a non-Windows device. The device does not support machine auth or does not have a RADIUS account, but the user is logged in and authenticates.
When a device does both Machine and User authentication, the user gets the default role or the derived role based on the RADIUS attribute.
To configure Machine Authentication, do the following:
1. In the Roles window, create a role for Machine auth only and User auth only.
2. Configure Access Rules for these roles by selecting the role, and applying the rule.
3. Select Enforce Machine Authentication and specify these two roles.
4. Click Finish to apply these changes.
HTH