This worked fine. Didnt have to add any attributes in the web login.
Just differencing on the roles and enforcement for each service.
Not sure I need all of this, but it seem to give me what I wanted, a segregation of different companies on same controller/clearpass in same MAC/user database.
Jumping between SSIDes sends me to Captive Portal for login, jumping back to previous SSID without logging in on CP page logges me in directly (MAC auth shows in Access Tracker).
Jumping back to previous SSID after CP login redirects me to CP page and access denied for MAC auth shows in access tracker.
MAC auth service
Roles: Role ID 4 gives role CustomerA_users
Enforcement:
Conditions ---- Enforcement Profiles
1. (Tips:Role MATCHES_ALL [MAC Caching][User Authenticated] CustomerA_users) ----- [Allow Access Profile], CustomerA Employee Profile
2. (GuestUser:Role ID EQUALS 4) ---- [Allow Access Profile], CustomerA Captive Portal Profile
Captive portal inital login:
Roles: Role ID 4 gives role CustomerA_users
Enforcement:
Conditions ---- Enforcement Profiles
1. (Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 4) ---- [Deny Access Profile]
2. (GuestUser:Role ID EQUALS 4)
AND (Date:Day-of-Week BELONGS_TO Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday ---- CustomerA MAC Caching Session Timeout, CustomerA MAC Caching Bandwidth Limit, CustomerA MAC Caching Session Limit, CustomerA Employee MAC Caching, [Update Endpoint Known], CustomerA MAC Caching Do Expire, CustomerA MAC Caching Expire Post Login, CustomerA Employee Profile