You must be doing machine authentication for your domain login to succeed (login scripts).
Is your radius server allowing machine authentication and are your 802.1x clients setup for machine authentication? At minimum, that is necessary to run login scripts or to login to a machine that a user has never logged in before.
Since there is no 802.1x connection before a user authenticates, 802.1x will not allow a domain login, UNLESS the machine authenticates first, when the user is at the ctrl-alt-delete screen.
Users who have logged into the machine successfully before will have their username and password cached and a profile built ahead of time, so they will not see that "no domain login" prompt. New users will not be able to login, however, unless you have machine authentication configured on radius server and client.