What I want to do: Lock down the Tech Vlan so that only an approved device AND a user in the tech security group are allocated. I am hoping to achieve this via EAP-TTLS and Windows NPS whereby the machine provides the tunnel then the user authenticates using their normal AD credentials? I don't want the TECH vlan to be accessible by a non company device.
What do you recommend that I do?
Edit: I feel like I described this poorly. The Tech vlan is just the VLAN I am testing. I want all devices to authenticate via machine auth by default so they can access basic resources such as AD / SCEP etc. But then when the user signs into the device the machine is allocated to the right security vlan. The problem is that I don't want those same credentials to allow BYOD devices. I hope this makes more sense.
Edit 2 Thanks anyone that looked into this. With no answer and new devices needing to go out asap (cvd19 shutdown) I decided to simply put the staff devices into the correct group and disable PEAP altogether. I found this: Add device to group at deployment which I hope will be helpful.
