We are rolling out a new SSID that is using EAP-TLS for authentication. We have our own MPKI and have rolled out user certs and installed the needed certs on our Clearpass servers. We also have a SSID that uses PEAP for authentication. Everything was working fine in our test group until the auto renewal failed on our MPKI solution (symantec) and user certificates started expiring. Now users attempt to join the EAP-TLS SSID and fail to authenticate because of the expired cert. While we are working with symantec on the cert auto renewal issue, as a fall back plan, we would like to configure Clearpass so that users who fail to authenticate to the EAP-TLS SSID because their cert is expired, to then automatically roll over to the PEAP SSID and join it instead. Is there a way to do this?