Yeah, totally. I'll make it two services. If machine-auth, let it into my "walled garden" VLAN that can just hit AD and ClearPass... allowing me to do "on-net" logins. Then once it gets into Windows it should flip over to user-auth, at least that's my understanding of this all. Not sure if I'd have to do a CoA?
My switch 802.1x config looks like such:
authenticator {
authentication-profile-name ClearPass;
interface {
User-Access {
supplicant multiple;
transmit-period 5;
mac-radius;
reauthentication 600;
server-timeout 3;
maximum-requests 3;
guest-vlan CP-INITIAL;
server-fail use-cache;
}
}
}