They get presented the logon page asking for their credentials again after the user idle timeout has passed without any activity from the client. By default this is 5 minutes.
So you could just increase this user-idle-timeout but that is the bad solution. So please don't do this.
The correct (and easy) solution, certainly when you have clearpass, would be to use mac authentication.
With mac authentication the first authentication would still be the user authentication on the captive portal you served them. Later authentications however would simply use mac authentication.
To give you a headstart, you can configure guest user authentication (with mac caching) on clearpass by using a wizard:
/tips > Configuration » Start Here. At the bottom somewhere you should have a "Guest MAC Authentication" service template. It will help you configure clearpass to do what I just explained.
On the aruba side your aaa profile (with pre-logon initial role) will also have to be configured for mac-authentication.
The result will be that all your guest clients will be able to use mac authentication after the initial logon. If you would like to permit mac-authentication only for smartdevices, this is certainly also possible.
This should hopefully get you started. If not, I'm hopefull we'll hear from you again :smileywink: