Good idea, already generate a batch of roles based upon user/machine os,service used for our eap and macauth services, just haven'tt done it yet for TLS.
I suspect that TLS is going to be one of those things that sneaks up on us and ends up being important. We've got Apple TVs, wireless VOIP phones, (possible) Android based information systems and airwatch managed mobile devices that need network connectivity with multi-user support.
Given that clearpass lets you generate your own CA and also provides you with an OCSP service, saves doing things from the CLI with a standalone OCSP server and openssl so its going to be easy to meet TLS requriements than it was before.
A