Yes, you can do that with the base Policy Manager license.
CPPM has a built-in Machine Authentication role that allows you to make policy decisions about AD-joined machines and then return back a specific VLAN (or if you are using Aruba switches, you can return back a user role).
You can then check the remaining devices against an external database, network registration system, or utilize the built-in endpoint repository as your authoritative device database.
OnGuard allows you to get more granular with your policy decisions by using posture checks like antimalware software and updates. You can also check for software like torrent applications and leave the device in a specific state until the software is removed.