After reading the "Authentication and Authorization Architecture and Flow" section in the documentation, I'm still unclear about how Clearpass handles multiple authentication sources. If a user is authenticated successfully against the first configured source, does it stop going down the list? I would assume yes.
But what if the enforcement policy for that service includes conditions that check multiple authorization sources, and the authentication and authorization are both the same source? For example, if I have authentication sources domain1.example.com, followed by domain2.example.com, and enforcement policies with these conditions: "Authorization:domain1.example.com:memberOf CONTAINS group1" and "Authorization:domain2.example.com:memberOf CONTAINS group2". If domain1 is not queried for authentication, the authorization attributes will not be gathered, and the enforcement conditions can't be checked. If the rule evaluation algorithm is set to check 'all applicable', does Clearpass go back and authenticate separately for domain2 so it can evaluate all of the rules?