The Windows clients can be configured to log on with machine
credentials. For this, they will need accounts in AD. This has been
tested to work with FreeRADIUS for a while.
I haven't done it myself, but search the net & docs. It does work.
Once that happens, the switch thinks that the machine is
authenticated, and may not re-do authentication for the user. There's
very little you can do in this case.
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html