Why doesn't clients do MAC authentication when switching from one VLAN to another?
Web-based Onboarding is enabled with 2 SSIDs with 1st SSID is used to onboard device and capture the MAC address while 2nd SSID would allow connection.
For optimal performance; Aruba's current design caches MAC authentication result (i.e. failure or successs) and reuses it for attempts made until the user's entry is present in controller.
Device Onboarding is a special scenario where MAC authentication fails on initial attempt and passes on the eventual attempts. In this case; caching first authentication would result in device not attempting MAC authentication second time. To avoid this; we can "registration role" option on the initial role of the 1st SSID. This would ensure that MAC authentication result isn't cached and authentication is performed against the server on reconnection.
aaa profile "clp-guest-aaa" initial-role "clp-pre-auth" authentication-mac "clp-guest" mac-default-role "authenticated" mac-server-group "cppm-srv-grp" !
AAA Profile mapped to SSID with VLAN 102. After device enrollment; user would connect to this SSID.
aaa profile "clp-mdm-aaa" initial-role "clp-mdm-user" authentication-mac "clp-guest" mac-default-role "clp-mdm-user" mac-server-group "cppm-srv-grp" !
With MAC Auth enabled of first SSID; we would have to make it's initial-role as registration role for MAC auth to happen again when user connects to second SSID.
user-role clp-pre-auth captive-portal "default" registration access-list session geotrust-crl access-list session logon-control access-list session captiveportal access-list session vpnlogon !