In this case he only knows this for his own machines. But unless *all* devices support EAP-TLS (I haven't seen this on any network) he can't make sure that the user connects with domain-credentials from his personal PC. But I am completely with you that relaxing the requirements is the right way. Really achieving *this* goal is one of the hardest in the .1X implementation.
... View more