Security

My Onboarding (two SSID's) is working until the IP address of Onboarding client changes.    No IP address change for the ClearPass, I can still put in Onboard client browser for https://MyClearpass/guest.onboard.php and it will continue to Onboard, but client won’t redirect when open browser to say http://1.1.1.1

• Cache and history of the browser has been clear.
• Onboard whitelist is including ClearPass IP address
• DNS is working
• Onboarding licenses are available
• Move the client back to previous IP address, it will work

Does it configure somewhere in the Onboard process for a network to allow to redirect?  Aruba OS 6.5, CPPM 6.6.8

Best Regards,

Edit: Misread your question 

Why would the device's IP address change?

Forgot to mention: IP address change to a new subnet because the network reconstruction. 

The redirect pause is 3 seconds

Not sure about CoA/Client bounce.  The process is client connect to "onboard", CPPM steers client to "onboard-login" role with captive portal

Captive portal profile (change redirect to default 10 sec and to allow http)

(WC03) #show aaa authentication captive-portal Onboard2

Captive Portal Authentication Profile "Onboard2"
------------------------------------------------
Parameter                                          Value
---------                                          -----
Default Role                                       guest
Default Guest Role                                 guest
Server Group                                       CLEARPASS
Redirect Pause                                     10 sec
User Login                                         Enabled
Guest Login                                        Disabled
Logout popup window                                Enabled
Use HTTP for authentication                        Enabled
Logon wait minimum wait                            5 sec
Logon wait maximum wait                            10 sec
logon wait CPU utilization threshold               60 %
Max Authentication failures                        0
Show FQDN                                          Disabled
Authentication Protocol                            PAP
Login page                                         http://1.2.3.4/guest/onboard2.php
Welcome page                                       /auth/welcome.html
Show Welcome Page                                  No
Add switch IP address in the redirection URL       Disabled
Adding user vlan in redirection URL                Disabled
Add a controller interface in the redirection URL  N/A
Allow only one active user session                 Disabled
White List                                         ONBOARD-WHITELIST
Black List                                         N/A
Show the acceptable use policy page                Disabled
User idle timeout                                  N/A
Redirect URL                                       N/A
Bypass Apple Captive Network Assistant             Disabled
URL Hash Key                                       N/A

Just to be clear, you mentioned 2 SSID onboarding. The IP change you are reporting is that between the two SSIDs, or is it on the same SSID?

You should try to avoid switching VLAN within a SSID at all cost; your client will not detect that the VLAN has changed and keeps trying with the already assigned IP address that does not have connectivity in that new VLAN.

Different VLANs between different SSIDs should be fine in most cases.

While I am doing two SSID's onboarding, I use one subnet, so no IP address change.

Also another point to mention: the working subnet is layer 2 to ClearPass, the problem subnet is layer 3 to ClearPass.

Thanks, 

After working with TAC ClearPass engineer and controller engineer, he found my problem is NOT ClearPass, but in the controller. 

For the redirection to work, the new subnet/Vlan interface MUST be configured with an IP address. 

Confirm by ping at the controller with source of the new vlan: 

WC03 #ping 8.8.8.8 source 100