It looks like I have two options, clearpass is out and DHCP fingerprinting while doable seems complicated with more probability of issues. Plus our environment is pretty basic. We only have machines in the AD that we want to connect to the corporate SSID, no phones or non AD aware equipment.
First option seems the most straight forward. I have tested this so far with only a few laptops, two of them XP. First it appears that XP behavior is to authenticate with machine credentials then user once user logs in, and there is no option to change to computer only without a reg entry addition: http://support.microsoft.com/kb/309448. Windows 7 has options in the wireless config for user, computer, or user and computer. I applied that change to my test XP machines. Then I removed from our radius server the user group from the radius condition so that it only contains the OU for machines. We have an GPO that configures all the machines for the proper SSID and set them to computer only (the computer only does not affect win XP). Once this is done all the test machines will authenticate and are visible on the controller as host\machine_name before any user has logged in, and stays that way once a user logs in.
The other option would be to follow this tread: http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/802-1x-Machine-and-User-Authentication/td-p/8886 which I plan to test also. What I don’t like about this is that there seems to be a possibility of disconnects if a user stays logged into a machine for longer than the MAC hold time.
I’m leaning toward option 1.