Is there a recommended way to allow users to enroll for OnBoard certificates with different validity periods based on things like AD group membership? For instance:
GroupA = 1 year validity period
GroubB = 2 year validity period
Since the validity period is tied to the CA, I believe this would require multiple CA's in OnBoard, each with a unique device provisioning page. Then a pre-auth service could use the "Page-Name" attribute along with user authorization info to control who is allowed to enroll for each CA.
That makes sense to me, however I am scratching my head over OCSP validation in the EAP-TLS authenticaton method. Since you cannot have mutliple EAP methods of the same type within a service, it does not seem possible to achieve this scenario over a single SSID.
Has anyone else implemented this, or is it simply not possible with ClearPass today?