A couple of options:
First, the user machine's MAC address must be passed through the VPN to Clearpass so we can reference it for the options below.
1. I take it that the device connects to wifi in a corp location as well as VPN? If so, you can add an endpoint attribute based on machine authentication in the corp environment. Then, once the user has this attribute in the endpoint database, you can reference it in policy on Clearpass for the VPN service. However, this isn't a "light switch" approach meaning that the user must connect in a corp office first with Clearpass as the RADIUS server. This is because we will see a domain computer also pass machine authentication and in access tracker, you will see "machine authenticated" as a role attribute. We can add a custom endpoint attribute once we see this. When the user tries VPN afterwards, we can see that this machine was machine authenticated in the office and then allow access.
2. Use a SQL query to an asset DB and check the MAC against it as an authorization source. Using this logic, we can query for the MAC in the DB and if it exists, then we know it's a corp asset.