Machine authentication -> user authentication

Hi folks!

How can mitmproxy be used to request and verify the machine certificate of the workstations starting a session initiation towards a web server outside the proxy, and letting the proxy rewrite this initiattion adding a username and password, as provided only to the web Proxy?

This is to enable certain user machines (iPads) in kiosk mode to hide the username and password from the users, still maintaining some Level of (machine) authentication on those iPads.

Best regards,