I've been tracking down an issue that's been affecting a few systems with special setups. For the most part, these are machines using service accounts that can only log into specific machines. Following Tim's note in https://community.arubanetworks.com/t5/Security/AD-Account-Restricted-to-a-Workstation-in-Active-Directory/td-p/249136, we added the Clearpass servers to the "Allowed Logon" and everything worked fine.
Part of my concern is that we had a DHCP reservation for that machine, which Machine Authenticated and set the Port Authorized Role for it. Seconds later, the machine tries to Wired 802.1X and the user account had failed. My question is this: Does Windows 802.1X just get excited, say, "Hey I'm setup so I'm going to do things!" and then a CoA is sent, undoing the existing Machine Authentication? Is there a way of preventing this from occurring?