Wireless Access

I wanted to know if the following is doable:

1. Formation of an onboarding SSID

   - Used solely for device self-registration

   - Authentication against external AD IDP

   - Allows for the end-user self-support addition of devices allowed based on MAC addresses

   - Sends text confirmation of account creation and WPA2 SSID and PSK information 

   - MAC addresses rules mapped to AD-User entry in Clearpass with airgrouping

2.  Formation of an IoT SSID using WPA2 PSK with MAC filtering based on the information collected in step 1

3. API or other ability for a push event to disable IoT access due account deletion, disability, or other loss of AD access.  A period check by Clearpass of AD Account status would also work.

I know this is a lot of issues to solve, but I need to grant secure network access to AD user devices that do not support 802.1x (think game consoles and video streaming devices), with an ability for access to be removed due to change in AD access.  THis would need to scale into the 10's of thousands of devices, so must have per user self-support ability without the need for Clearpass and/or WLC support to allow user devices access.

THe idea for the separate SSID is the allow access to a new user before WPA2PSK creds are known.  Question is, how do you do self-support in Clearpass based on AD auth, to include "Adding devices?"  I have not been able to make this work.