Excuse me for my lack of understanding, but, what do you mean by machine certificates? Deploy certs to do EAP-TTLS authenticating the machine wioth the cert then the user with the inner method? If his is the case, it won't do since I have Windows 7 machines too that do not support EAP-TTLS out of the box (W8+ do).
Also, do you think my two previous proposals (WMI profiling or NAC based for double auth) could work or are just wishful thinking?
Sorry, I always had so many questions on this matter. It would be awesome if you could write one of those master pieces you do on this topic of customers wanting to restrict access to network both machine and user using standard Windows supplicant (shameless request for your spare time to be wasted on our problems).
[EDITED] I think I messed up with my EAP-TTLS concepts. No machine certs for EAP-TTLS I believe. Reading throught the RFC now to learn (https://tools.ietf.org/html/rfc5281). Still confused on the machine certs.