Hello Ronin101,
What you tested is 802.1x authentication EAP/PEAP, the authentication worked because, it is a workgroup machine, and it trusts the server certificate installed on the Clearpass or the server cert validation is disabled on the client's 802.1x configuration.(Incase if it does not trust).
Trust list in the Clearpass, does not come in to play for EAP peap, it will be used in Eap TLS, when Clearpass has to check the client certificate.
In EAP Peap, you can only check the server cert's validation on client, if it works, by default the auth will work, if it fails, auth will not work. if you want to stop the clients to be able to check/uncheck the cert validation, you could push a AD group policy to disable that access to client machines.
If you want to perform certain certification checks on the client from Clearpass to perform, authentication you should do EAP TLS.
To sum it all up:
" for your third requirement:
3) User shall not be allowed to authenticate if Trusted root CA of AD CS is not installed on the machine "
Is the clearpass server cert signed by "Trusted root CA of AD CS" ? then you can do EAP PEAP, and use the validation option, if not, you need to EAP TLS.
hope this helps..
--