If you have users who are mostly using WiFi you need to permit both their computer (I typically allow Domain Computers) and their user account.
Otherwise you get this situation when the machine boots up; it is not connected to the WiFi. The user tries to login, but it can only use cached credentials. If the credentials don't match a newer change then they can actually log into the machine but not attach to the WiFi because the WiFi only knows the new credentials (it is talking to AD).
If you allow machine authentication as well the machine starts up. It can now also do group policy processing. The user goes to log in, but because the machine can now talk to a domain controller it doesn't have to use cached credentials. It actually authenticates directly against the AD controller. If that passes the users logins in, and then re-authenticates to the WiFi using the known good credentials.