06-15-2016 08:36 AM
Working on a guest access POC using ClearPass and integrating with a Motorola Zebra controller. We are using Guest with self-reg which seems to work fine. Additionally we are doing MAC caching to eliminate the need for clients to have to log in after disconnects (clients leaving the facility, sleeping mobile devices, etc.). This also works as expected. The issue we are running into is when clients fail MAC Auth which should cause them to fail to captive portal but instead they are given access as though they successfully passed auth. In Access Tracker I can see that the client fails MAC auth and being given the Deny Access Enforcement Profile as is configured but the controller still treats them as having successfully authenticated. I know this points directly at the controller as being the conprit but we did find one interesting thing when troubleshooting. In the Enforcement policy we have a rule that checks if the guest account is expired even when MAC Auth passes and if so we send a specific VLAN to the controller which works. Also, if I change the Profile for failed MAC Auth from Deny to Drop Access the client fails to connect entirely which seems correct since drop to my understanding means deny and stop access. Any ideas would be greatly appreciated.