Help with Enterprise WiFi

I need assistance configuring an Enterprise Wi-Fi setup for a client of mine. This is a scenario I’ve done a few years ago in the past, though it seems newer security settings on Windows don’t make the exact method I used possible, and I’m not even sure if the configuration I’m attempting is possible in a secure manner anymore. I have access to NPS on Windows Server Unfi Access Points Active Directory ADCS is set up, computers & users are set to auto enroll certificates. User certificates should be unique and are stored in AD so they will roam from computer to computer. Is there a way to have enterprise Wi-Fi set up so that when a domain joined computer boots, it authenticates to the Wi-Fi networking using the machine account (via certificates or any other manner), then when the user logs in, the Wi-Fi then authenticates as the user. I’ve been able to get one or the other working, but not both – client needs both because there are computers that do not have a ethernet connection that need to be managed even when users aren’t sitting at them. Ideally this will all be transparent to the user and use their credentials/certificates in the background. This needs to work for a user that has never signed on to the machine as well – and ideally I’ll be able to filter the users that are able to access the network (eg WORKSTATION1 always on at the logon screen – Bob can log in to WiFi, but Alex cannot as part of their AD Group Membership)