You can most definitely do single SSID onboarding, just be sure to take a look at the potential man-in-the-middle risk with using PEAPv0/EAP-MSCHAPv2 on an unconfigured device. The more secure route is to use dual SSID onboard, but you don't necessarily have to set up an additional SSID. Most environments have a guest network and you can just use that.
Can you describe what's not working after using the template? For single-SSID onboarding, the flow is essentially:
- User connects via username/password
- ClearPass detects this by looking at the OuterMethod and seeing that it is not EAP-TLS and returns an Onboard enrollement role to the controller which is essentially a user-role that redirects traffic to ClearPass with a captive portal profile.
- After the user completes the Onboard process, they disconnect and reconnect and they're now in their final role.
(That's a very high level, generalized explanation of it.)