OK. So I was right in assuming that Clearpass stops at the first authentication match then evaluates the rules for a match, whereas Cisco ISE does not stop processing rules until there is an authorization match even if there are multiple matching authentication methods.
Its probably best for me to just allow the SE to configure this, as Clearpass does not make as much sense as ISE did when I configured it 5yrs ago.
Thanks for the time saver.