07-06-2016 09:04 AM
Having a consistent issue on mobility switches where they're unable to download the latest role from Clearpass and newly connected devices end up in a default role. The issue occurs when a change is made to the download role in Clearpass and a device that wasn't already connected to the switch plugs in. The problem is that the ACL table becomes full with ACE entries from previous versions of downloadable roles and is unable to fully download the latest (incremented) role and apply it to the newly connected device. Since other authenticated devices are using the older role, it can't be cleared using the download-role-delete command to make room for the updated role. The only way of getting the new role populated is to shutdown any port using the old role, delete the downloadable role, then no shut the same ports. They'll all reauthenticate and pull the latest role. The downside is that I have to do this to multiple switches and the endpoints lose connectivity as I have to shutdown the ports.
Is there anyway to flush the old download role so the new one can be populated without affecting users and/or having to connect to every switch.
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.