Hi all,
I believe I have a working solution for this issue. Will do more testing later.
1) At the Onboard Authorization rule, add a Post_Authentication enforcement profile (along with [Allow Application Access Profile]) to add a new attribute: Endpoint:Username = %{Authentication:Username}
2) Add the following rules to role mapping:
Endpoint:Username NOT_EXISTS
OR Endpoint:Username NOT_EQUALS %{Certificate:Subject-CN}
--> assign role "Invalid Certificate"
3) On the enforcement policy, add the following rule:
Tips:Role EQUALS Invalid Certificate --> [Deny Access Profile]
Thank you,