Aruba added the capability to profile User-Agent and TCP Fingerprint using SPAN. Why would they add that if it was not needed?
Say you do not have a Aruba switch, or you have devices with the same embedded linux but with different features? You need user-agent to properly classify them.
If it is not possible to tell ClearPass what IPs it should consider and what IPs it should ignore (basically, everything that is not part of my private network), then the feature is worthless.