I have a customer who wants to integrate ISE with two seperate Windows Domains, they have no trust releationship. We can integrate with one of the domains and can make use of LDAP for the other but can only get Machine Authentication working with the domain with the full integration. Machine authentication will not work with LDAP, only user authentication. The problem is the config of the switches places the client in the guest network as they fail machine auth and then client auth is not recognised by the switch. I'm thinking about either not going direct to MAB if a user fails machine auth or diabling guest all together as the porblem is a guest with a dot1x suplication is not given guest access in a timely mannor without this command. Another option I have thought about is to use the radius token external identity store to talk to a Cisco ACS server attached to the other domain.
Any help would be greatly appreciated