The ideal solution to avoid non-domain machines is to put Machine Access Restriction on the ACS. Where in the user has to pass machine authentication and user authentication from the same machine to be allowed access to the network, else if the machine authentication fails (for iphones or non-domain machine) and only user authentication passes-- ACS will deny the user connection.
Here is the details of this feature:
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1053213
Snip:
"ACS machine access restriction (MAR) features use AD to map machine authentication to user authentication and authorization, and sets a the maximal time allowed between machine authentication and an authentication of a user from the same machine. Most commonly, MAR fails authentication of users whose host machine does not successfully authenticate or if the time between machine and user authentication is greater than the specified aging time. You can add MAR as a condition in authentication and authorization rules as required."
Hope that helps!
Regards,
~JG
Do rate helpful posts