Yes it is, but since at the Role selection part we are using the option "evaluate all" it is sometimes getting more than 1 role on which we make some decisions in the enforcment policy to send vlan and user-role back to the Aruba controllers;
So the Tips:Role consists of several roles on that point and not 1 in particular, while after we made the decisions on our enforcement policy, we only send 1 user role back to the Aruba; we would like to send the same Aruba role back to the fortinet as well. (it is the request of our customer)
I will provide you with an example:
If employees are logging in we can receive the TIPS role:
* employee and engineer
* employee and admin
* employee and sales
If a contractor logs in:
* contractor and engineer
* contractor and admin
Then we are always sending these 2 roles back to the fortinet, while we only send 1 role back to the Aruba controller, but we want to differentiate on our clearpass if it is a contractor or employee and if it is together with that an engineer role or a contractor role? So we need to select the evaluate all in the role mapping, and in the enforcement profile we are using the apply first applicable. And then we want this user-role that is send back to the controller also to be send back in the accounting message to the fortinet.