Hi Yada,
You can accomplish this in a number of ways.
1. Create a new AD group for Cisco Read-Only, Cisco Maintenance, Juniper Read-Only, Juniper Maintenance and add only the users that need the required access
2. In ClearPass, you can nest conditions in your Enforcement Policy Rules that will check the following:
- Device - The Network device will be added into a Network Device Group to allow for the proper identification
- AD User group - Check the memberof group to see if the user is a member of a group with access
- AD username - this one is extremely specific and would require multiple rules should you have multiple people this applies to
Here is what a rule might look like for a Cisco device and a user with the username user1 who belongs to the Cisco ReadOnly AD group
The Role mapping is where you would apply these roles and this is what that might look like:
My suggestion would be to use the convenience of Active Directory and have a specific group with specific people in those groups. This will keep administrative upkeep at a minimum and keep the rulesets cleaner.