Within your enforcement policy you need to define the condition and based on that condition you will enforce an action (enforcement profile)
Here's an example that I use for my wireless 802.1X:
In this scenario I want non-domain devices to get onboarded (SmartPhones, Windows, Mac OSX , etc..) and that have authenticated successfully using PEAP authentication
And then will allow to get on the network without getting onboarded if it authenticates using EAP-TLS:
This doesnt exactly matches your case but I wanted to give you an idea of what you could do and how flexible ClearPass can be.
Key things to keep in mind:
- If you want to make decision based on device type you need to add ClearPass as a DHCP relay under your SVIs
- Add the endpoint database as an authorization source
- And enabled the following to be use as roles:
-
So when the device authenticates you can use this as tips roles to make decisions :