In our setup we would like to authenticate laptops and users separately.  So if the laptop belongs to a particular AD group and the user belongs to a particular AD group then they are allowed to join the hidden WiFi network.

In our current setup this kind of works.  We have a group policy that supplies the laptops with the required certificate if they belong to the right AD Group.  Then in NPS we have it do user authentication based on the User Group in AD.  This does work with one problem, the logon script fails to run 100% of the time.

If we switch modes and use computer authentication, and base it on the Machine group, then the logon script works 100% of the time, however even local users to the laptop have access to the WiFi network, something we do not want.

We have the group policy set to wait for network, we have a dial-up delay set and the scripts are set to run async.  Still no luck. 

1) Any thoughts on how to get the logon scripts to run?  or

2) setup NPS to do computer auth first, then user auth second?

Hi,

If you use 802.1x wireless infrastructure, you may use GP to define User or Computer authentication. If computer authentication is successful, a subsequent user logon results in a re-authentication with user credentials.
Detailed setting steps you may reference:
Creating a secure 802.1x wireless infrastructure using Microsoft Windows
http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx

Besides, by SSO(single sign-on) we may do user authentication after the user has logged on.
Detailed information you may reference:
https://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx

Best Regards,
Eve Wang