Hi JSkrivervik,
I've seen this before as well. What are you using to make a decision on what's a BYOD device? It might be worthwile to have a line that says EAP-TLS connections are given a specific BYOD user role. Like Tim mentioned, if the user is not presenting an EAP-TLS connection to Clearpass, it's on the client. But, if you're differentiating traffic based on an iOS, Android, etc., you may want to look at Access Tracker and see if that is coming up as the right device type. I saw this once with a customer and there was an issue with DHCP relaying and Clearpass wasn't profiling the device correctly.
Hope it helps!
-Mike