@ColinMwrote:
We have had 14k login requests over the last two days and 12k failed logins. It just seems a little too high in my opinion for known devices. Any help greatly appreciated.
As James mentioned, and I think this statement confirms the suspicion, it is probably the mac-auth mechanism used to provide the 24-hour cache that you mentioned.
Basically, when a new device tries to connect for guest wireless access, the initial mac-auth fails, ensuring that they get placed into the captive portal role. So there will be that initial failure seen on ClearPass. Once in the captive portal role, the user completes the web form and is granted access. Now ClearPass will have logged a successful login request.
If the same suggessful user returns within 24 hours, the mac-auth sends them directly to the authenticated role, bypassing the web form.
If a device/user fails to complete the web form and returns within 24 hours, they still fail mac-auth because there is no successful login cached, and so would should up as another failed login event. It's not unusual to have more devices try to connect to a guest SSID than actually pass through successfully, so your numbers don't seem out of line.
To verify this, check Access Tracker on ClearPass and look at the failed events. In particular, not the service that was selected for the event that ended in failure. There should be two services (at a minimum) on ClearPass ... the mac-auth caching service, and the guest portal login.