First, I will explain what I want to do:
Device A is joined to domain acme.com
Device A is a member of ABC OU
Device A must machine authenticate and user authenticate in order for the device to gain full acess to the network
Results in default RADIUS ALLOW policy
Device B is joined to domain acme.com
Device B is a member of XYZ OU
Device B must machine authenticate and user authenticate in order for the device to gain full access to the network
Results in NAMED VLAN and NAMED ROLE. Device B must be placed into a different VLAN and role than Device A
Here's the problem:
This configuration works fine for device A. The device gets the [Machine Authentication] role and is cached for 24 hours, allowing the user to login and get complete access to the network [Machine Authentication] + User auth = access.
When the machine authenticates, we differentiate access by determining that it's in a different OU, which results in device B getting a different role than device A. I can't give it the [Machine Authentication] role because otherwise it will end up with the same enforcement policy as device A. Since I can't give it the [Machine Authentication] role to device B, when the user logs in their machine authentication is not cached so I can't get them on the network.
My solution to this would be to create a ClearPass role called [Machine Authentication - XYZ] that caches just like the built-in [Machine Authentication] role. Then, I could use [Machine Authentication - XYZ] + User authentication to give device B differentiated access to the network.
Is this at all possible or is there another way of doing this that I'm not thinking of?