Yes, my enforcement profiles contain the user role and machine role.
In production with my Win NPS server, the following happens:
1. Machine authenticates > machine role assigned
2. User authenticates > authenticated role assigned (default dot1x role)
In my test CPPM lab, the following happens:
1. Machine authenticates > machine role assigned
2. User authenticates > user role assigned