This is now possible using the Authentication mechanism assurance feature in Active Directory Domain Services (AD DS) in Windows Server 2008 R2. When enabling this feature a user's access to resources on the network when authenticated using certificate based logon can be treated as different from what that access would be when the user types a user name and password as the user's group membership is changed reflecting the authentication method used
This feature is intended for organizations that use certificate-based authentication methods, such as smart card or token-based authentication systems. Organizations that do not use certificate-based authentication methods will not be able to use authentication mechanism assurance, even if they have Windows Server 2008 R2 domain controllers with their domain functional level set to Windows Server 2008 R2.
The best part of this feature is that any client or server operating system that is able to interpret Windows access tokens can be used to grant or deny access based on the group membership or memberships that are added to a user's token by authentication mechanism assurance.