EAP-TLS and PEAP on the same SSID. EAP-TLS against an external CA whose certificate I uploaded into ClearPass. PEAP against an Active Directory. EAP-TLS should fail if the certificate provided belongs to the AD and only succed if is validated by the external CA.
With two services, I would simply set local db as the auth source on the AP-TLS process. The PEAP auth would use AD as the auth source.
But on a single service I must add AD as the auth source for both TLS and PEAP, making it far more complex, requiring enforcement to reject specific cases where TLS succeds against AD.
But I did not want to solve my problem, I want to be able to tell if something would work before making any promises to the customer, that is presales, without a full test lab to tell if it actually works and the GUI is not missleading letting you choose a value you cannot use.