We don't use the onboard, and we already have a pki infrastructure in place with certificates deployed to windows machines. We push a GPO to configure 802.1x on the Windows laptop. However I've attached screenshots on how to manually set 802.1x using certificates on a windows Machine. Apple Mac is must simpler since 802.1x is on and it autodetects on the wired. For Mac the user is prompted.
Our use case has a lot to do with how we configure the switch. I'll give you a little bit on the flow to help you understand our switch configuration.
In our AD, we have an attribute populated with all the MAC addresses of hosts that are joined to the domain. So we use MAB first on the switch port. In clearpass, if the MAC is present in AD, then a reject is sent to the switch that then forces the switch to move from MAB to 802.1x. The host is then prompted to authenticate with 802.1x. If succesful then a port based ACL is sent down the switch. We use machine certs, so all this is transparent to the user.
If a device is plugged in, MAB is triggerred, and the MAC is not in AD, then Clearpass Accepts the MAB and a Captive Portal Redirect is pushed down to the switch. The user then registers/logs in via the portal and then a unique restricted Dynamic ACL is pushed down to the port.
We use this MAB first method because of speed. In a lot of our use cases, most of the devices won't have 802.1x and thus a certain action will be used by MAB.