American McNeill,
----security conscious talk begin-------
I want to say that what will improve your security posture is always specific to you, your organization, or your users. There is always a security regimen that cannot be adopted because X Vice President or Y Director cannot be bothered. Or, users do not have enough training so that super secure supplicant that you wanted to use is too hard to implement.
While everyone can put strategies that you can use on a public forum here, people who hack, ethically or not, have access to the same information. The best answer is to have a security consultant review what your organization is doing and suggest something that will work out for all of your users and your organization.
----security conscious talk end---------
With that being said, I would use the device registration capability within ClearPass to make everyone register the mac address of their device in the endpoint database before authenticating. During the registration, the username would be associated with an endpoint, so that only users who have registered their devices can authenticate successfully with 802.1x, which will compare the mac address of a device that wants to authenticate with the username in the endpoint record. If the mac address does is not in the endpoint database, a successful 802.1x authenticatin will earn them a trip to the mac registration page. If the mac address exists in the endpoint database but username does not match in the endpoint database record, do not allow them to get on via 802.1x.