Hi Vulpe,
There are a few steps to enable machine authentication on directly on Windows 7, however I would strongly advise managing this via Group Policy (steps are in here, obviously chose Computer authentication rather than User as the article implies - Technet).
1. Open services.msc and set the Wired AutoConfig service to automatic.
2. Start the Wired AutoConfig service.
With this done you should be able to see the "Authentication" tab on when you open the properties screen for your Network adapter...
3. Ensure "Enable IEEE 802.1X authentication" is ticked then click on "Additional Settings"
4. Ensure "Specify authentication mode" is ticked and select "Computer authentication" on the drop down box.
At this point you may want to give some consideration to whether or not you want to validate the certificate presented by ClearPass to the machine when it tries to authenticate, if you are using a self-signed certificate you may want to disable this check or alternatively install the root certificate on the Windows 7 machine so that self-signed certificates generated by ClearPass are trusted. Other options (installing proper 3rd party (Verisign, etc) certificates, or using your corporate PKI are also feasible).
Either way, with these settings in place your machine should be capable of doing machine authentication only.
With regards to roles on ClearPass, I'm not sure I can answer whether or not you should be using initial or default service but I can tell you how we have configured our system and roughly how we did it.
1. Join the ClearPass appliance to Active Directory (this can be done via Policy Manager - Administration - Server Manager - Server Configuration).
2. Create a new Authentication Source and set the type to Active Directory, fill in the relevant details for the domain you wish to authenticate against (Hostname, Bind DN etc).
3. You will need to add your new Authentication Source to your 802.1x Wired service, you will also need [EAP PEAP] set as an Authentication Method.
3. We have a created a role mapping that has the following condition - Authorization: Active Directory: HostName EXISTS and mapped that to a role called ROLE-COMPUTERINAD, you may wish to add an additional condition that checks the device is using EAP-MSCHAPv2 as an inner method (so Authentication:InnerMethod EQUALS EAP-MSCHAPv2).
4. We then use an Enforcement Policy to pass back a specific profile based on which Role the device has.
This should be sufficient to authenticate the computer via ClearPass, although I can't promise that I haven't missed anything out as it's been sometime since I had to look at this particular part of the process. Obvious ommisions are any switch configuration etc.
Thanks,
Matt.