I have a similar problem.
VIA is configured with IKEv2 and MSCHAPv2, not with TLS.
When the user is logged in, Windows credentials are used to establish a tunnel automatically. But when the user logs off I can't see any connection attempt in the controller log. (Enabled logging level debug)
My connection profile:
!
aaa authentication via connection-profile "via-mschapv2"
server addr "my.dns.name" internal-ip X.X.X.X desc "wlc1" position 1
auth-profile "via-auth.mschapv2" position 1
ikev2-policy "2001"
ikev2-proto
ikev2auth eap-mschapv2
no save-passwords
dns-suffix-list "domain.local"
!
I played around with different settings, like save-password, to no avail.
Auth Profile:
aaa authentication via auth-profile "via-auth.mschapv2"
default-role "VIA-User"
server-group "DOT1CPPM"
radius-accounting "DOT1CPPM"
auth-protocol mschapv2
!
Until now I only tested with the VIA 3 client, because I couldn't find any Release Notes about version 4. Found it
With a logged on user everything works fine, just Domain Pre-Login doesn't work at all.
Edit:
I saw one single authentication attempt in ClearPass one time the local user was logged off. But I was not able to replicate it.
In it, I could see that the computer was trying to authenticate itself, without a user.