I am attempting ot set up a wireless SSID that 2 groups of users can connect to, 1 set of users uses clearpass which is connected to a company AD server. The other group of users has a RADIUS connection on the controller to another DC under another company IT department. I have it set up so that when a user authenticates successfully using the RADIUS connection with the external company they are shuttled into a particular VLAN. The other gets the default VLAN for the VAP.
The problem is that in order to allow these two to coexist I need users of the external company to be able to get rejected auth against the clearpass server (I'm not worried about the load for rejections as they are a small subset of users). I set it up so it has fail through, which means since it's 802.1x i need to terminate at the controller, which i've done. The problem is that once it terminates the EAP-PEAP EAP-MSCHAP at the controller, if it attempts to fail from authenticating to the external radius first and then moves on to clearpass, clearpass spits out a message in access tracker saying "Cannot select appropriate authentication method".
Is there a situation I can get this to work other than setting up the Clearpass server to also be a radius client for the other company's DC, and spitting that user back to the controller in a different role that then maps the alternate VLAN?
Am I missing something?