We don't have a Clearpass partner.
The Macs are managed using Group Policy. There is some software that allows the Windows Admins to do that.
I am not 100% tied to EAP-TLS and I have used EAP-PEAP to
authenticate Windows machines using machine + username before at a different company. There is no machine authentication with Linux in our case right now and that isn't going to change anytime soon.
There is no official security goal. We currently use cert only EAP-TLS, and the idea of cert + username/password would be better and allow us to role map users easier.