Security

I have been able to get a self registration working for IOT devices where there is not a captive portal using a COA to another VLAN (666).  However, when I disable that registred device, it kicks it off of the VLAN666 but the device still has an IP Address showing and it can still browse the internet.  However, when I forget the network and then try and reconnect, I see the expected behavior again.  

It seems that I am missing a role communication with the controller.  Thoughts?  Attached are my clearpass enforcements. 

Just to be clear, you're using Device Registration, not Guest Self-Registration, correct?

Correct. Device Registration.

There is:

Date and Time:  May 07, 2018 15:50:45 PDT

Application Name:  Policy Manager

RADIUS CoA Action Type:  Disconnect

RADIUS CoA Action Name:  [ArubaOS Wireless - Terminate Session]

Status Code:  1

Status Message:  Radius [ArubaOS Wireless - Terminate Session] successful for client 0034da9dc724.

RADIUS CoA Attributes:  Calling-Station-Id = 0034DA9DC724

Also, When I reactivate that device, it doesn't seem to re-check for the network.  There are a few things about this that are getting me.  The device shows up in the association table, but if I do a lookup in the user-table, they aren't showing up and they show offline in the CPPM access tracker.