Using Computer Only / Machine Authentication is indeed the easiest way to achieve objective 1.
To prevent domain computers on the Guest network, it is harder as they don't authenticate on an open/PSK network typically used for Guest. One option is to use 'Update Endpoint' in the 802.1X service and put an attribute in the Endpoint database when a client does a successful Machine Authentication. Then in Guest you can check if the attribute is there (enable MAC authentication if you haven't yet) and either block or return a role/VLAN/captive portal redirect such that the user understands they should not be doing that. Another option is to use a Group Policy and push an SSID configuration for the same SSID name as your Guest, but with incompatible authentication parameters. For example configure PSK with a bogus PSK, if the Guest network is open or PSK with another key. Good thing is that Windows (at least) will prevent users from connecting to such a network, and they can't remove the network configuration pushed by the GPO either, so pretty effective.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 14, 2021 06:50 PM
From: Bruno Costa
Subject: Clearpass only allow domain computers 802.1x service
Hi all
I have a couple questions regarding 802.1x services
1- Is it possible to force only domain computers to connect to corporate 802.1x ssid?
machine authentication?
2. On the guest ssid , is it possible to block domain computers to access the ssid ( its in another vlan and in separate traffic from the Core)
( this can be done also by GPO i know that)
------------------------------
Bruno Costa
------------------------------