Why not seperate it by student and employee user as opposed to machine so that they have their proper access based on where they are logged in and not the device itself?
If you still want to do machine-based, can you confirm which certificates are being issued - you can do machine and user certs and then you should be able to choose which one to use for authentication.
You don't need UserDN to do your logic, you can also use MemberOf, which includes "Students" in your attachment. I assume employees would have something similar.