Can you please share the Agent Enforcement Profile Config ?

You might be missing the bounce user but you can also have the same results using the CoA as your Enforcement Profiles so it can then the device will return and hit the 802.1X service and gets the right access

hey i am offsite now, will provide more info when I am onsite next monday. thanks! =)

yup, as you can see in the attached a5.png, i have termination. I am not too sure if Radius CoA is enabled in CPPM, will double check, but if default is unchecked, high chance it's not checked. will verifiy next monday, thanks for the reply! 

hey base on the a2.png, can you conclude anything? other than enabling Radius CoA which I am not sure it has been enabled or not, what could be the other possible reason? i do have other screenshot which I capture previously, not sure if you could conclude anything from htere. thanks

Add the ClearPass Controller as the RFC 3576 server and make sure that both key match

Enable it on CPPM

You need two Services:

1- The onguard health will receive all the Onguard Posture Information 

2- And the 802.1X will determine what type of access either by sending a VLAN or a Role back to the controller

If you are using the persistant agent you can do the following :

Then 

hey thanks for the reply. 

1) RFC3576 has already been added

2) yup i already have 2 services as mentioned by you. each time i click on the agent to reverify, it shown up in the access tracker, just somehow role won't change.

i haven't really configure anything in the wlc for onguard, all the configurations such as rfc3576, etc were configured for 802.1x and mac address authentication; and both of them are working fine. is there anything else I need to configure in the wlc? do I need to put the 'nap ip'? is there any option to enable CoA in wlc?