Are you doing EAP-TLS now and actually verifying a cert on the client machine?
Machine authentication with PEAP, from what I understand, sends a username/password during bootup. It is usually the fully qualified domain name (FQDN) that is sent. The machine or computer account is being validated. The only way machine authentication is possible is for the PC connecting to the wireless network to have been previously joined to the domain. If users bring in laptops or other devices that are not part of the domain, they will not be able to gain access to the network because machine authentication will fail.