For context, we're testing this right now using IAP's. Production environment will be IAP's as well.
We have ClearPass Guest up and running. Captive Portal, self registration, Guest receive a 24 hour mac auth. What we want to do is use the same SSID for existing employee BYOD devices and not force them to register through the captive portal. These BYOD devices have a certificate issued by an internal CA and I was hoping to use that as an authentication mechanism to bypass the captive portal. Basically have ClearPass check for a valid certificate on the client device and, if found, the device / user would be given the Employee role. If not found, the device / user is redirected to the captive portal. I'm sure there are a number of ways to go about this, but I'd like to try and follow best practices. Any ideas would be greatly appreciated.