Is there any reason domain joined windows clients would be trying to send UDP/137 and UDP/138 traffic to ClearPass?
We've just moved our ClearPass servers behind a firewall and have noticed a lot of this traffic dropped in the logs.
Clients are authenticating using PEAP, but in theory would have no way of knowing about ClearPass? Unless it is somehow related to DHCP relay - the L3 gateway for the client subnets has an IP helper configured pointing to ClearPass for DHCP fingerprinting.