When you say this:"If we set up the device to use the physical MAC address, the MAC address used is always the real MAC address of the device and not a random one."
Do you crosscheck the Access Tracker INPUT and what you see at the Guest User Repo ? Are they both having the same Endpoint Category, Endpoint OS Fam, Endpoint Name ?
Coz, once the endpoint reconnects back after traveling thru a so-called blank spot, what we see here is that in Guest it shows SmartDevice, Windows, Windows Mobile, but in Access Tracker, it shows Generic, Generic, Unclassified Device.So first, I think you'll have to find out why clearpass classifies the two MAC addresses as those.66:5b:17:35:82:a1 is supposed to be the Android, right ? But MACOUI lookup says it is unknown.While the 1c3a60 is Ruckus definitely, doesnt matter if it is ETH / BSSID interface, but strangely it is being classified as Windows (which I suppose is the phone itself, right ?)I suspect in Ruckus you have the option to encapsulate the auth packet so that the radius server (clearpass) only sees the Ruckus ETH/BSSID.Do packet capture from clearpass first, try to see if there is the phone's MAC address received at the clearpass itself. Either in the RADIUS packet or at the RAW Layer-2 packet itself.
In the end, I would say that clearpass is always the passive device, it sees what it receives and show to us.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.