You could also use the profiler in the ClearPass service.
Any OS / Make / Model = Aruba Terminate Session.
It would send a COA to the controller, make sure you have ClearPass setup as an RFC3576 server and in ClearPass you have the controller enabled for RFC3576 in the network device settings.
You could then put logic into the Role Mapping policy for the service that checks things such as:
IF Device OS = Chrome THEN Assign role CHROMEBOOK
IF Device OS = Windows THEN Assign role WINDOWS PC
IF Device OS = Apple THEN Assign role MACBOOK
IF AD memberOf = Staff THEN Assign role STAFF
IF AD memberOf = Student THEN Assign role STUDENT
I would do evaluate all in the Role Mapping, then in the Enforcement, just need to combine the roles and assign the VLAN / User Role assignments based on the combinations. Always put the most specific on top, for example:
TIPS Role MATCHES ALL = Chromebook, Staff THEN Action = VLAN 1, User Role Staff
TIPS Role MATCHES ALL = Chromebook, Student THEN Action = VLAN 2, User Role Student
TIPS Role MATCHES ALL = Chromebook THEN Action = VLAN 3, User Role Chromebook
You can filter on Machine Authentications and User Authentications as well to identify if it's a domain joined machine or personal machine. If it machine authenticates successfully, it's company owned.
Chromebooks - Use Google Admin Console to identify if they are company owned
Windows - Use Machine Authentication (if their domain joined)
Macbooks - May need to find another attribute or use Generic SQL query to check a database of the devices.
Mobile Devices - Use MDM such as AirWatch