That is not a good flowchart. If this is 802.1x, and a device fails authentication (machine or otherwise) it does not get an ip address, so there is nothing to redirect anywhere.
A device cannot be prompted to machine authenticate. It can attempt with a username of host/<machine name>. Again, if it fails, it doesn't get an ip address, so there is nothing to redirect.
If your customer only wants an SSID ONLY for devices that can machine authenticate, they should only accept devices in the domain machines AD group and reject anything else.