Please see the table on page 200 of the AOS 6.2 user guide which shows the combinations of user and machine authentication.
Non-domain devices will not be able to machine authenticate so you'll want to only allow devices that machine and user authenticate.