nik-mh,
Let's be clear:
If a device authenticates successfully using 802.1x, it is supported in bridge mode. So if your CPPM is allowing a device to authenticate successfuly, it should work with user authentication, machine authentication, in bridge mode
If we have "enforce machine authentication" enabled in the 802.1x profile of the Aruba controller this is not supported in bridge mode for machine authentication.
Only people who do not have an external radius server like clearpass to check for user+machine authentication enable "enforce machine authentication" on the Aruba controller. If you have "enforce" enabled in your 802.1x profile on the Aruba controller, please uncheck it so that ClearPass can enforce the user+machine policy.