Security

After reading the "Authentication and Authorization Architecture and Flow" section in the documentation, I'm still unclear about how Clearpass handles multiple authentication sources.  If a user is authenticated successfully against the first configured source, does it stop going down the list?  I would assume yes. 

But what if the enforcement policy for that service includes conditions that check multiple authorization sources, and the authentication and authorization are both the same source?  For example, if I have authentication sources domain1.example.com, followed by domain2.example.com, and enforcement policies with these conditions: "Authorization:domain1.example.com:memberOf  CONTAINS  group1" and "Authorization:domain2.example.com:memberOf  CONTAINS  group2".  If domain1 is not queried for authentication, the authorization attributes will not be gathered, and the enforcement conditions can't be checked. If the rule evaluation algorithm is set to check 'all applicable', does Clearpass go back and authenticate separately for domain2 so it can evaluate all of the rules?

Yes, it stops going through the list once the user is found. It moves on to authorization based on the authorization list.

Great, so once it moves on to authorization, it authenticates (gathering authorization attributes) against all applicable sources listed in the enforcement policy (assuming the all-applicable option is set), even if that source wasn't queried in the original authentication stage?

Remember, I'm interested in situations where the authentication server is also set to gather authorization attributes.  They're not separate servers.

Even if that source wasn't queried for authentication during the authentication stage?

No, the user should only be in one authentication source.  But Clearpass doesn't know that, so when it gets to the authorization stage, and there are enforcement policies referencing authorization sources from which the user was not authenticated, one might expect Clearpass to attempt authentication against those sources to gather authorization attributes. 

For the authorization stage; authentication is not done; but it will check the listed authorization sources for additional attributes if the account exists in another datastore.