We have a customer using an ACS SE 4.0 with a bought SSL cert from Geotrust installed authenticating to AD using PEAP security. We've found that a user can still authenticate using their domain credentials from a non-domain PC. Not good.
We've found the Machine Access Control function in ACS which blocks users with legitimate credentials from authenticating using a rogue PC, so far so good. This checks the AD domain for machine accounts and no machine account = no access. BUT the customer has a number of machines that are not part of the AD domain (MACs and Linux) so they get blocked too.
My question is what other means are there of controlling this? The customer has many small sites and as it stands although PEAP is implemented and working there's nothing to stop an employee bringing in their own laptop and using their domain credentials to get authenticated to the WLAN.