We ended up nesting domain-computers & domain-users under the same AD group. Called id domain-dot1x and used that for the acs group matching. Works great. One caveat.. Had a few random issues w/ the ACS remote agent running on the domain controller. Seems after some time (months usually) the agents stops processing machine (computer) accounts, but will continue to authenticate user accounts. Upgrading to 4.1.4 this weekend to see if that helps.
I'm curious. what client/supplicant are you using? We're trying to do something similar, PEAP & ACS, but it seems like only the WindowsXP supplicant sends machine credentials thus are the only machines that authenticate.
Other clients we've tried are Cisco ADU, Juniper Odyssey & a Dell supplied utility.
Enabling Machine Access Restriction stops all but the XP clients.
You need to point it to your domain in your global authentication. It then should query AD and find the machines. This works fine for us with 100+ machines. We are doing EAP-TLS but it shouldn't matter.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...