The question is, what is the best way to get an easy onboarding of the machine/user on day 0 when they are going to connect the first time to the network?
-IMO this depends on your requirements. One way is to track this is via tickets.
What about computer imaging? Will this include user certificate?
-For imaging your best bet will be to have some sort of a process that involves mab authentication so that admins can pxe boot and pull an image from your enterprise services. Once your Windows/SCCM teams fully gets a box domain ready you should be able to rely on GPO and auto-enrollment based on security groups containing domain joined objects to configure the native supplicant and enroll for a cert. During the imaging process and cert enrollment you can also push the cert chain to clients. Then after imaging, cert enrollment, etc. upon next re-auth the clients will move from lets say your staging/imaging network into their respective network based on 8021x auth with specific ISE policies to onboard clients. Something to note from my experience with SDA and onboarding is that depending on the auth template you decide to use you may need to tweak timers and/or the order. As for getting mac addresses into an ISE L2 identity group you have several options IMO. A couple of those being utilizing rest apis to bulk add new macs, or manually creating/adding them. Note that you will want to figure out a way to track this.

AFAIK for multiple AD points you can add up to 50. Also, dont forget to have all the respective chains in the trust store within ISE. Lastly you will want to discuss the overall requirements with your PKI, AD, and server teams from each respective group. Good luck & HTH!

There are various caveats around PC build/onboarding in a NAC environment. The easiest solution by far would be to have a separate staging environment. See the posts below discussing related topics around this.

 

PC Imaging on NAC secured ports 

ISE Deployment EAP-TLS Machine or User Certificates Native Supplicant