1) Machine auth against an IC can happen at L2 (802.1x) The auth server type used on the IC MUST be AD, not LDAP. I know that "AD" has LDAP capabilities, but you can not do machine auth with an IC with an auth server of type LDAP pointing at an AD. The reason has to do with the type of auth being done. Its not possible to perform the type of auth over LDAP, only via the auth means employed by an auth server of type AD.
2) Machine auth with Machine credentials is possible with the OAC supplicant at L2 (802.1x, thus pre-IP address)
3) Yep, you can get machine GPO's. You can leave machine auth up if you only desire to auth the machine to the network. Some people like to auth the machine, and then auth the user. This is a more complex config as the timing can get a little awkward to make sure user GPO's get applied correctly since the supplicant has to disconnect the machine 802.1x auth, and authenticate as the user (this involves a small break in L3 network connectivity.) It works, but it can get a little tricky depending on your network setup and GPO configuration. I would strongly recommend testing this on your network before putting into production.
4) Yes this can work with the caveats mentioned in 3)
wow ... quick reply ... thanks so much !!! You've answered all my questions perfectly
Just one final question - is it recommended to do both machine auth and user auth ? Or is the OAC machine auth considered to be reliable enough on it's own ? I'm just thinking of this from the point of view of rogue machines getting on the network
Thanks again, really do appreicate the help
It really depends on the security problem you are trying to solve.
If you are only worried about which workstations are on your network, then you only need machine auth. If you use domain logins for all the workstations, you don't have to do user network auth as they will still require authentication to get logged into the workstation. If you want to have different vlans for users vs computers, then you'll need to do machine auth and then switch to user auth.
All is configurable in the Odyssey Administrator.