Security

I need to configure 802.1x PEAP authentication using CLEARPASS as NAC and Fortigate100D as NAD. take in consideration that fortigate 100D works as a WLC for FortiAP431F (Tunnel mode), so user authentication and authorization should be done from SSID created on fortiAP. but I want only users belonging to specific group to have access to the network. Users and groups are stored on CLEARPASS as an authentication source through Active directory.

I was researching and found the following fortinet's link that makes me an idea.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD36464

It expect that AVP being provided by NAS server (RADIUS server) in Access-Accept (if user pass authentication).
And then FortiGate compare string-by-string what is in group match config and what he got from RADIUS server. If it matches perfectly (100% match) then the user is considered as member of that group in FORTIGATE device, Then it could apply a firewall policy on fortinet based on Source group name.

could the test work with clearpass and fortiAP with those advices?

I attach two screens of planning for clearpass, in enforcement and profiles

please, your advice or support if it is possible or not.