When you define roles based on group attributes (AD security group membership), we notice that you can't be a member of more than one group. Our teachers are members of the sec. group "teachers" and get the right role when they connect. But certain teachers are also member of the sec. group "wifi_operators" (to give them extra rights, like guest pass generation: therefore we made an extra role). When they connect, they only get the rights based on their membership of the group "teachers", they don't get the second role, based on their membership of wifi_operators.
Is this a bug, or is it by design? Do you have a solution for that problem?
That is working as designed. A user can only be a member of one group, within the ZD.
You can create a third role (third group in AD) for those teacher that are allowed to generate guest pass, make the "Teacher+" group and only put some of the teacher in this group with similar if not exact same rights as the teacher, but when the authenticate against the ZD, them get assigned a role will allow them to generate the guest pass. This should be transparent to the users.
I have a similar issue, and follow up. Let's assume that the "teacher" role has access to the "Teacher" SSID. The "teacher+" role would also need access to the "Guest" SSID, in order to generate a guest pass. When they log in to an onboarding portal with access to both the "teacher" and "guest" SSID, which one will the provisioning wizard configure?