Hello,
I'm wondering if the following is possible with OnBoard (single provisioning SSID):
We'd like to have have users authenticate via AD (EAP-PEAP) when on-boarding thier device but we want to put the users in different roles based on what AD group they are in once they are provisioned and authenticating with EAP-TLS.
Is it possible to write an attribute into the clients certificate (during the provisioning authorization service) process based on what AD group they belong to so that we can filter for that attribute when doing EAP-TLS authentication to dervie the correct role?
I can see that there is an option in provisioning settings under 'Web Logins' to enter a custom field that will be written into the client certificate, but my understadning is that this requires user input in the login page. What we're after is automatic mapping of AD group to client certificate attribute. Is this possible?
Many thanks, any assiatance is appreciated