VLAN enforcement is working much better now for me.
I have two other problems now:
First problem:
Student logs into the student machine and end up in the student VLAN, which is working fine. Student then logs off the student machine and Staff logs onto the Student machine, but the machine remians in Student VLAN.
I do not see another request come into Clearpass when this happens. Also, when the user manually disconnects from the SSID and re-connects I then I do see a request in CPPM, but they still end up in Student VLAN.
To troubleshoot this further I have asked them to do the following:
On the wireless profile Enable single sign on and select the option to perform immediatley after user logon.
I have also asked them to re-arrange the role-mapping so that the Staff roles are at the top and in the service to make sure the Staff AD is at the top.
Do you know if that will work or would I need to do something else?
The other problem is student BYOD devices that are connecting:
Students connect with their BYOD devices, but get rejected as it says user authentication failure. But when student send the username in the format of:
student\65262827 - this then works
The problem is that student do not know they have to connect with student\.
Is there anyway Clearpass can imbed the student\ in the request?
or in CPPM do I need to replace the filterquery in the authentication source to look at samAccountName?
If so, please let me know what the query should look like ?