Hi Nick and Tim,
I'm trying to do something similar where I want to restrict onboarding to both a static host list as well as AD credentials. The intention is that only whitelisted devices can be onboarded by staff.
Onboarding is occurring via an onboarding SSID, and after onboarding devices will be on a corporate eap-tls SSID.
The trouble I'm facing is that even though I've created a static host list as an authentication source, the option to use it as an authorization source is greyed out.
In my enforcement policy I wanted the ruleset to look something like:
tips // role // equals // user authenticated
Connection // Client-Mac-Address // BELONGS_TO_GROUP // --SHL-- name
I'm not able select or get the SHL component working. I tried setting the onboard authorisation to radius as well as application (two separate services) and was unable to get either working with the SHL. Onboarding without the SHL works fine.
Do you have any suggestion or ideas on how I could get this working? I thought another option would be to host a sql db externally and use it as an authorisation source but it seems like this should be achievable with the SHL..
Thanks in advance. Cheers,
Liam