Official answer is that is not supported, and you should use Guest Devices for this.
Workaround I've tried and works, is to create a new authentication source of LDAP type:
Hostname: dc-server.domain.net
Connection Security: None
Port: 389
Verify Server Certificate: true
Bind DN: cn=svc_Clearpass,ou=Service Accounts,ou=...
Bind Password: ********
Base DN: ou=Clearpass,ou=Test...
Search Scope: SubTree Search
LDAP Referrals: false
Bind User: false
Password Attribute: networkAddress
Password Type: Cleartext
User Certificate: userCertificate
Attributes:
Filters : 1. (networkAddress=%{Authentication:Username})
So bit of a hack, you switch from using the usual password field in AD to something else, in our case we use AD attribute networkAddress. userParameters is there for Cisco IPSK password don't mind about that. We managed to get iPSK working with AD but for MPSK you have to use Guest Devices. That's why we've switches from using this hack to Guest.