ClearPass will auto-generate an internal WebAuth request by default after a device registration.
Create a service to accept this request and issue a disconnect message to the controller to force a reauthentication. See these screenshots for the service config, it’s very basic. You only need the enforcement profiles for the NADs you’re using. http://aruba.i.lithium.com/t5/image/serverpage/image-id/30944iE5F3B1A85398D84E/image-size/large?v=1.0&px=999 http://aruba.i.lithium.com/t5/image/serverpage/image-id/30943i73208ADC98FF1301/image-size/large?v=1.0&px=999 From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Sweetser, Frank E" <f...@wpi.edu> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Sunday, August 27, 2017 at 2:32 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems? The canonical answer is to set up Clearpass to do a RADIUS COA to proactively change the device role when it's registration status gets updated. That way it should happen pretty much immediately, rather than having to wait for a timeout. Frank Sweetser Director of Network Operations Worcester Polytechnic Institute "For every problem, there is a solution that is simple, elegant, and wrong." - HL Mencken ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Davis <da...@udel.edu> Sent: Sunday, August 27, 2017 9:11 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems? Thanks.. I believe it turned out to be devices sticking in the "preauth" role that were not yet registered. The commonality of all the epsons focused on them instead of the issue. They're defensive IP policy must have been triggered by the locked down role. Does anyone know offhand, how to ageout devices quickly from a preauth role that's not the default system preauth role. thanks mike On 8/26/17 4:05 PM, Michael Dickson wrote: Just a thought but do you have multiple helper addresses configured for that vlan/subnet? I'm wondering if maybe the printers aren't expecting that. Another random thought, if they're not broadcasting for a lease because they require a static could they have maybe all self-assigned themselves the same IP and are discovering each other over L2? Good luck. We're pretty much going down the same CPPM/Airgroup path right now. Mike Michael Dickson Network Engineer Information Technology University of Massachusetts Amherst 413-545-9639<tel:413-545-9639> michael.dick...@umass.edu<mailto:michael.dick...@umass.edu> PGP: 0x16777D39 On Aug 26, 2017, at 3:18 PM, Michael Davis <da...@udel.edu<mailto:da...@udel.edu>> wrote: First Semester supporting mDNS in production with Aruba Clearpass Airgroup. Almost every Epson XP series printer is complaining of duplicate IP addresses which of course is not the case. Anyone see anything similar? There are a few older web searches about Epson's requiring a static IP, which isn't an option right now unfortunately. Only Freshmen moving in today (~5K), the bulk (~20K) will arrive tomorrow and throughout the week. ArubaOS 6.5.3.2 CPPM 6.6.7.96909 Four 7240 controllers ~3200 APs Three primary SSIDs: eduroam, Devices, Guest (clearpass) thanks mike On 8/25/17 9:22 AM, Lee H Badman wrote: It might be beneficial to share notes in case other schools are hitting common problems. I’m wondering how everyone who is in the thick of it is faring with back-to-school? On this end, we are doing OK halfway to our expected total daily peak clients (we’re at 15K now high water mark). Our significant WLAN-related changes since end of Spring semester · Running 8.2.151 on our 8540s · Significant quantities of Wave 2 APs · ISE as RADIUS (only, no NAC, no onboarding) No changes to: · our guest WLAN (Clearpass/an Aruba controller pair) · onboarding (Cloudpath Wiz) · overall topology · open network in dorms for gadgets · non-use of AVC, it crapped out and never got solved after hundreds of hours with TAC Fears: · We haven’t yet hit the scale that will reveal problems with any of the newer stuff listed above Anyone else care to share? -Lee Lee Badman | Network Architect Certified Wireless Network Expert (#200) Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu<http://its.syr.edu> SYRACUSE UNIVERSITY syr.edu<http://syr.edu> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
