A ClearPass Policy Manager (CPPM) service includes these settings:Role Mapping Policy:Evaluate: Select firstRule 1 conditions:Authorization:AD:Groups...

1. Understanding the Role Mapping Evaluation:

Role mapping is set to "Evaluate: Select first," meaning the first rule that matches the client attributes will determine the role(s) assigned.

Contractors group: Since the client is in the Contractors group (not Managers), Rule 1 in the Role Mapping Policy does not match.

TEAP-Method-1-Status EQUALS Success: This condition matches Rule 2, so the client is assigned the domain-comp role.

No other rules match, so the default role [Other] is not applied.

2. Resulting Role from Role Mapping Policy:

The client is assigned the domain-comp role.

3. Enforcement Policy Evaluation:

Enforcement policy is also set to "Evaluate: Select first," so the first matching rule determines the enforcement profile.

Rule 1 (Tips Role = manager AND domain-comp):

The client only has the domain-comp role, not manager, so this rule does not match.

Rule 2 (Tips Role = manager):

The client does not have the manager role, so this rule does not match.

Rule 3 (Tips Role = domain-comp):

This rule matches the client's role, but it is not evaluated because the enforcement policy already skipped to the default action after failing the first two rules.

4. Default Enforcement Profile:

Since no rule explicitly matches and the policy evaluation stops at the default, the default profile [Deny Access Profile] is applied.

Final Outcome:

The client is denied access because none of the matching rules satisfy the conditions.

References

Aruba ClearPass Policy Manager Role Mapping and Enforcement Policies Guide.

Role and Policy Evaluation Logic for ClearPass Authentication Services.