As Colin mentioned it is not possible to carry over a role mapping of a machine authenticated once you do the user auth.
What I suggest you do is the following :
- Create two services
- In the machine authentication service define the following role mapping
- Then create a two custom attributes that you will use to differentiate between the IT PC and Sales PC
- Then create a Post Auth profile using those custom attributes
- The post auth profiles then can be use to tag devices that are part of the SalesComputer or ITComputer AD group in the machine auth enforcement policy
- Once these tags have been applied you can use these in the user wireless 802.1X service (For this to work Make sure you add the endpoint database as an authorization source)