Hi,
I'm looking to do the same sort of configuration, I have CP working for provisioning but I can't see to get the two roles working depending on if you join the SSID via AD credentials or join the same SSID with TLS and a provisioned cert.
Effectivitly AD auth -> provisioning role and redirect to CP device enrollment page
EAP-TLS -> auth certificate -> full access role
Is there a guide I can follow?