Please see the below vedio for configuring user and Machine Authentication with EAP Chaining

http://www.youtube.com/watch?v=7nzqN6ZRpJM

Hi,

You  may also use the below link,

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf

Machine Access Restriction and Active Directory Users:

Cisco ISE Release 1.1 contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.

Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the “Time to Live” parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.

When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:

• If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a      

    successful authorization should be assigned.

• If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for    

    a successful user authentication without machine authentication should be assigned.

Hi

Cisco ISE allows you to restrict network access for user accounts that are based on authentication settings that you configure for attributes and passwords associated with the user accounts. When defining user accounts, you can manage network access in the following ways:

• Use pre-defined system attributes or create custom attributes

• Define authentication settings that form a password policy

By default, Cisco ISE is set up to provide internal administrator authentication. Therefore, to set up external authentication, you need to create a password policy for the external administrator accounts that you define on the external identity stores. You can then apply this policy to the external administrator groups that eventually become a part of the external administrator RBAC policy.

In addition to providing authentication via an external identity store, your network may also require you to use a Common Access Card (CAC) authentication device.

Next, you will need to create an external Active Directory or LDAP administrator group. This ensures that Cisco ISE uses the username that is defined in the external Active Directory or LDAP identity store to validate the administrator username and password that you entered upon login.

Cisco ISE imports the Active Directory or LDAP group information from the external resource and stores it as a dictionary attribute. You can then specify that attribute as one of the policy elements when it is time to configure the RBAC policy for this external administrator authentication method.

For more information regarding step by step configuration please go through this link:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf

Hello,

The Link below might help you for the machine authentication:-

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html