On wireless with WPA-Enterprise (802.1X) there is no fallback, as the TLS session cannot be established without valid certificates, and there is no fallback to unsecured or so because authentication and encryption setup are combined in the same process.
On wired, you can configure the client supplicant to 'Fallback to unauthenticated access' on Windows, in which case it will just start communicating and trigger a MAC authentication.
Expired certificates is an area where you don't want to go, and if you need to go there test heavily with all possible clients as the client (type, version, configuration) plays a big part in how the experience will be.