David,
I read two topics in your question: 1) how to allow domain computers to access the domain controllers before the login, so that users that never logged in before on the computer can be validated and authenticated to the domain. 2) how to join the computer to the domain if there is no connection (classical chicken-egg problem).
In order to join a client to the domain, IP connectivity between the client and the domaincontroller(s) is required. There are many ways to achieve that. What most companies do (in my experience) is connect the clients either to wired 'staging' ports to join the system to the domain; which can be done from the unauthenticated VLAN as well which can also be used to PXE image the system. You can even create an automatic whitelist that as soon as the client does a domain authentication it is automatically added and use that whitelist to place the clients in a PXE staging VLAN that allows both the imaging and the domain join.
As you are explicitly looking for a wireless method, you basically have the choice of three: open, WPA2-PSK, WPA2-Enterprise; and allow access to the domain controllers from those networks. As you may have noticed, connecting to a WPA2-Enterprise network from a non-domain system can be pretty challenging; so I would avoid that route myself, but it is possible as long as it provides IP connectivity to the domain controllers to do the domain join.
For the other item, you triggered me that you consider moving from TLS to MS-CHAPv2. MSCHAPv2 has been broken (since 1999 already) and should not be used unless you have full control over the endpoints to prevent the client from connecting to a rogue authentication server. As you are speaking about domain computers, this full control might be the case if you deploy everything right. Just want to make sure the risks of MS-CHAPv2 are clear to you. Check https://www.youtube.com/watch?v=50fO3j4NgyQ to see what happens if you not have control or properly configure.
The way to solve the issue of pre-login access is to deploy computer certificates. And if you want to switch to user authentication as well, you should have client certificates as well. This all can be done with Microsoft Certificate Services (MSCS) and group policies.
The flow would be that before the user logs in, the computer authenticates with its computer certificate and you can allow the client access to the domain controller and other services that need to be present before login (DNS, update services, etc.); then you either use computer authentication only or if you need user authentication you can switch to the user certificate.