Nice thanks for the quick reply Tim!
It solved the problem however it broke my design :\
Here's the super high level design.
Open SSID for Self Device Reg.
CWP->Domain Cred auth form->Automatically registers the Users device and marks it as "known". If the device logs in later on it's now cached and they don't have the CWP applied.
If I do Allow All Mac all users are now redirected to CWP whether they're in the db or not and fall into the registration role. :\
I especially want this design for when open ssid encryption comes around.