Anas,
I am not sure which RADIUS server you are using but if you were leveraging the ClearPass Policy Manager there are some great enforcement policies that can be applied by inspecting the outer EAP or potentially the authetnication source being used.
For example, if the RADIUS transaciton was based on a AD authenticated PEAP authentication then we know that this device has not been through the Onboard process and therefore should have a role returned that redirects the device to the provisioning portal. If the RADIUS transcation was based on EAP-TLS or authenticated against the Onboard Devices repository, we know this is an Onboarded device and can confidently return the post authentication role.
Hope this helps
Cam.