If you have WPA2-Enterprise configured then the exec machines are authenticating - even if it is single sign on using their Windows login name. You just need to create an extra rule on your RADIUS server to match the "Exec" group in AD, and assign the additional FilterId attribute.
... View more