Create a rule for machine login that checks the computer is a domain joined machine. A Windows machine in a logged out state will add “host” in front of the hostname and in order to authenticate the machine EAC needs to perform a User lookup in Active Directory.

This lookup uses a servicePrincipalName and an LDAP authentication rule should be added which looks for host/* and searches AD using an LDAP Configuration that searches based on servicePrincipalName. This means an additional LDAP Configuration will be needed to lookup machines to validate they are allowed on the network. It can still use the same LDAP server as for User logins but the attributes will be different.

This is covered by the following GTAC solution which can be referenced and used for your own XMC EAC implementation. The key point to note is that in End Systems table the Username column will show different information for when there is nobody logged into the machine and when somebody has logged into the machine. This is why there is a need for two LDAP Configurations, one that covers Machine logins (servicePrincipalName) and one which covers Machine (cn) and User (sAmAccountName) logins.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-authorise-Windows-domain-user-computer-using-802-1x-and-LDAP-lookups-to-ensure-the-user-AND-computer-is-in-the-domain-denying-access-to-users-with-valid-domain-credentials-on-BYOD-devices