I have a customer that has ACS v4.2 which is authenticating users for a Wireless LAN controller with 802.1x PEAP. We are able to get Machine Auth/User Auth working, but only with an OR operator and not an AND operator. We want it to be so that in order for users to access the wireless, the laptop must be part of Domain Computers AND Domain Users....not Domain Computers OR Domain Users.
Right now I have Domain Computers mapped to Group 1 and Domain Users mapped to Group 2... if you have a non domain PC, you can login with your domain user credentials and thats not the desired behavior.
I tried mapping Domain Computers and Domain Users to the same group and users get stuffed into the Default group and don't authenticate.