Hi parentch,
Another thing you could do is to create a couple of different OnBoard profiles with an additional Clearpass CA. You could have all BYOD devices go to the "standard" OnBoard page / process. You could send the URL of another OnBoard page / process to clients that require elevated priviliges. It would work something like the following:
1. A normal OnBoard device will connect with EAP-TLS
2. Based on the standard CA, it will be given the current BYOD role
3. A special BYOD device will connect with EAP-TLS
4. Based on the special CA, it will be given an elevated role
You could further lock down the above to only allow a certain LDAP Group access to go through the process of the special OnBoarding page.
Just a thought off the top of my head.
-Mike