ClearPass can apparently use variables in x.509 certs, presented by clients within EAP-TLS auth, to change the role which is applied to individual clients. How do I find out more about how ClearPass is configured to do this? Also; how do I find out how these cert variables might be manipulated, when the certs themselves are generated by CP OnBoard? E.g. I want an OB user, approved by one Sponsor, to obtain different network access rights to a second OB user, approved by a different Sponsor...