Once the machine (Laptop, Smart network device etc) is checked against trusted mac address database than the mac address should be cross checked with group of switches it is allowed on.
For Eg: If the machine belongs to site A. If the machine is moved and brought to site B although the mac address is trusted but is doesnt belong to site B so the access of the network resources should be restricted.
Same in case if different departments...
Is this possible through clearpass..