To summarize:
Machine authentication uses the computer account in Active Directory for authentication, this can be username password (which is automatically set by Windows and AD, and is not visible to the user). For that reason it cannot be spoofed.
An Android device is not registered/managed in Active Directory, so it will NOT have a computer account, and will not be able to do device authentication. It can only do user authentication.
If you have ClearPass, manage your access based on [Machine Authenticated] and [User Authenticated]. If both roles are collected, you know that the system has both authenticated with the Computer account, and with the User account (two authentications from the same system). In most situations, you will NOT enforce machine authentication on the controller, because ClearPass is much more flexible and allows you to make all kinds of exceptions, like taking profiler data, MDM data, and much more, into account during the authentication. On the controller, you can set a single role for systems that only do machine authentication, a single role for systems that do user authentication (only), for systems that do both a dynamic role can be supplied during the authentication.
You may consider configuring Active DIrectory managed computers to authenticate with just the machine account (Computer only in the settings for your WLAN), as this does not require Windows to do a new authentication once a user logs in. This only makes sense if all users on corporate computers have the same level of access, as the authentication/access is only derived from the computer or machine.
Herman