Hi
You control this in the rule mapping policy with the option below:

If Select first match is selected the evaluation stops with the first match, with Select all matches all rules are evaluated and a device can be assigned multiple roles.
Select first match is the default.
If you change the behavior, make sure you don't have rules in the Enforcement policy that require multiple roles to have been assigned.
The same option exists in Enforcement policies.
Personally I tend to have Select all matches in rule mapping policies and Select first match in the Enforcement policies.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Aug 18, 2024 06:20 PM
From: bbartik
Subject: ClearPass Role Mapping order
Suppose I have the following role mapping policy:
1. | (Authorization:[Endpoints Repository]:Category EQUALS Printer) | Profiled_Printer |
2. | (Authorization:[Endpoints Repository]:MAC Vendor EQUALS boca systems) OR (Authorization:[Endpoints Repository]:MAC Vendor EQUALS HP Inc.) | Printer_OUI |
3. | (Authorization:[Endpoints Repository]:Category EQUALS SmartDevice) | Profiled_Mobile_Device |
4. | (Authorization:[Endpoints Repository]:MAC Vendor CONTAINS Apple) | Mobile_OUI |
5. | (Authorization:[Endpoints Repository]:MAC Vendor CONTAINS AzureWave) | Computer_OUI |
6. | (Authorization:[Endpoints Repository]:Category EQUALS Computer) | Profiled_Computer |
I have an iPad that is categorized as a SmartDevice (rule #3) but it consistently gets the role Mobile_OUI (rule #4). In a role mapping policy, do devices continue to get profiled after a role is mapped. Where can I see the inner working of this behavior? Is it score-based like Cisco ISE? Thanks.