Here's the deal - I am working on a migration from two old-homebrew guest sponsor systems. And I ran into this goofy situation where I have a group of Guest sponsors/operator with access to both systems. On both systems they authenticate with their AD credentials. They can create guest accounts on both systems and its all good because they are two different systems for different reasons. One is a restricted guest system and the other is the normal guest system, etc.
Now we want to consolidate these disparate systems into ClearPass. The problem is that they do have legitimate reasons for creating two different types of accounts. So this same group of users needs to be able to create accounts for the restricted use case and this means they need be part of a special group (operator role in CPPM). But they also need to be able to sponsor regular guest accounts as individuals. And they would like to be able to authenticate with their AD accounts in both cases.
I think this maybe possible with Clearpass by creating two sets of sponsor user roles (sponsor_A & sponsor_B) and then creating two separate operator profiles on CPG.
But the question I am stuck with is... "If this sponsor logs in to the sponsor portal with his/her AD account. How can I determine when s/he needs to be placed in role "A" when they want to sponsor users as part of this special user group? And how can I determine when s/he needs to be placed in role "B" to sponsor guests as an individual?"
Has anyone out there run into this sort of requirement? I am not a AAA/NAC expert so I am hoping there is something obvious that I am missing here. Any help/guidance is greatly appreciated!!!