I'm trying to create two separate services that are very similar. One of them is for a group of vendors, the other is for our internal IT employees. What I'd like to do is something like this:
Service "Vendor access" which triggers if the user attempting auth is accessing a specific device group (ie. Connection:NAD-IP-Address belong_to_group routers) AND user belongs to AD group "Vendors"
Then after that in order is an employee policy which is not restrictive at all and permits all access. As of right now I am unable to find a way for the service policy to be triggered by both the connection device group and an AD group. Is that possible? Or should I have one service rule for the device group, then use a role mapping policy?