You could look in to the use of 802.1x machine authentication. Certainly for Windows devices, machine authentication (if enabled) takes place at logon and logoff. You can use this to assign a more restrictive role or VLAN to devices when only machine authentication is passed.
Basically the logic works as follows:
ClearPass authenticates a machine and assigns a restrictive role/VLAN.
ClearPass authenticates a user and this in combination with the already authenticated machine assigns a full access role/VLAN.
If machine authentication is seen after this it would indicate a client has rebooted or logged off. This could then assign the more restrictive role.
I would recommend labbing this up and seeing if this can provide what you want.