So I've got two "network policies" currently.
The first for "Secure wireless connections", which has conditions for NAS port type 802.1x wireless and membership in domain users or domain computers.
The second for "Junos devices" which only checks for group membership.
Now... if I set management authentication to use the server group for radius that I'm currently using my AAA profile, it appears to be allowing all users as if it's matching the first policy. I wouldn't think management access would match that rule if the user's not coming in over an 802.1X secured port or SSID.