Hi all, just to update this thread, I was working with the OP and we finally got this working.
We set up the policy & profile as follows, and are now able to connect with one device only, using username / password auth. I think what was missing before was that the Endpoint wasn’t being updated with the AD username, the way it would with Guest authentication.
I’ll try to sum it up here:
In the screenshot above, you can see I have two rules in the Enforcement Policy, in this cased based on my UserDN (just to ensure the rule hits during testing. Obviously for the customer, the rule condition will be based on TIPS:Role or something other than a static UserDN). The first rule is where we check the Unique-Device-Count. More than 1 device gets the Deny Access profile.
The next rule is where we set the user role, and update the endpoint. Rather than setting it known, or trying to cache the MAC address, the “Update Endpoint” profile simply adds the AD username to the endpoint.
The profiles look like this:
I tested this with various devices, and it always works. The first device authenticates properly, and the next one is rejected like this:
Hope this helps someone else!