What I want to do: Lock the Tech Vlan so that only one approved device AND one user from the technical security group are allocated. I hope to achieve this via EAP-TTLS and Windows NPS where the machine provides the tunnel and then the user authenticates using their normal AD credentials? I do not want the TECH vlan to be accessible by a non-professional device.
What do you recommend to me?
Edit: I feel like I have misconstrued this. The Tech Vlan is just the VLAN I am testing. I want all devices to authenticate through the default machine authentication so that they can access basic resources such as AD / SCEP etc. But when the user logs in to the device, the machine is allocated to the correct security vlan. The problem is, I don't want that same credentials to authorize BYOD devices. I hope this makes more sense.