Thanks Colin, that's kind of how I understood it to work, with regards to the availability of the certificates.
To confirm, when the user presses 'ctrl-alt-del' this is when the authentication changes from 'Computer' to 'User', and if present this is when the 'User' certificate is forwarded?
I take your point regarding the overhead with both computer and user certificates. With regards to Clearpass, if there was an attribute in AD that tied the device to a user, can you use Clearpass to return this as the user name as opposed to the hostname of the device?
My only concern with regards to our current setup with just computer authentication is whilst a user's account could be disabled if they left the organisation, the user could potentially still access the network using cached credentials and the computer certificate if the computer certificate is not revoked. Granted they would not be able to access a resource restricted by AD, but they could still potentially get IP connectivity. I guess it is then up to us to consider revoking the computer certificate to address this, or enhance the Clearpass logic?