This question is in regards to acombination of AD, clearpass, and our firewall. I'll give a bit of a setup outline first, followed by the question.
User's are able to connect on their laptops via TLS+PEAP, they don't need to enter in their credentials, their current AD login is automatically used, and certificate for auth.
On thier SmartDevices they are able to connect by entering in their AD username and password, also with cert auth.
In AD we have a role for internet access, that users need to be allowed to gain external internet. When connecting to the IAP/clearpass from a laptop, this role is working, as it is a domain laptop. When connecting on a smart device(entering in AD credentials) the internet access role isn't applying (if exists on the account), and as such are being blocked by the TMG firewall (checks for user membership to the internet access group). smart devices are managed through an MDM(listed as enpoint context server).
Is there a way to have clearpass have the smart devices adopt the same AD roles of the account used to authenticate connection? If no, what alternate appraoch should I be looking towards?
Thank you