In short that is because the CAPPORT API in ClearPass queries the Insight database which is based on accounting data. If a client disconnects, the accounting is stopped and when the client returns there is no session and the API returns that there is a captive portal, until there is accounting data for the session. This is a bit complex to resolve in larger networks because the CAPPORT API typically runs on the DMZ ClearPass used for Guest and the MAC Caching on an internal server handling the MAC Authentication. This behavior is described as you found, and in a future version this might be improved, but I'm not aware of that.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: May 22, 2023 09:45 AM
From: stubbyroot
Subject: Clearpass 6.11 CAPPORT - DHCP 114
There are an unfortunate number of caveats for CAPPORT though that document by Matthew is quite good. I'm curious to understand why a MAC caching workflow is not supported.
Original Message:
Sent: May 17, 2023 10:20 AM
From: christian.chautems@swisscom.com
Subject: Clearpass 6.11 CAPPORT - DHCP 114
Hello Herman,
It was my Partner account that had a problem but it is now corrected and I have again access to Arubapedia.
I had a look on the CAPPORT documentation and it looks quiet complete :-)
I will now start my configuration and testing, I have also seen the list of Caveats and will take them in account.
Thanks and kind regards
Christian
Original Message:
Sent: Apr 13, 2023 07:32 AM
From: christian.chautems@swisscom.com
Subject: Clearpass 6.11 CAPPORT - DHCP 114
Hello Herman,
Thank you for the info, I will look into Arubapedia (I am a Partner) but it seems that the Partner Ready Portal has some issues as I cannot access any Aruba Tools today.
Will try tomorrow if working.
Kind regards
Christian Chautems
Original Message:
Sent: Apr 13, 2023 06:49 AM
From: Herman Robers
Subject: Clearpass 6.11 CAPPORT - DHCP 114
If you have access to Arubapedia (for Partners), you can search there for CAPPORT with ClearPass. That page has more info and some videos as well.
Note that at the moment many devices behave different with CAPPORT, and many devices don't even support it. Especially combined with MAC Caching there are some strange behaviors with current versions. That may be one of the reasons that there is not a lot of public facing documentation. For testing that won't be a problem of course. If you don't have access to Arubapedia for Partners, your Aruba Partner can probably get that information on your behalf.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Apr 13, 2023 02:33 AM
From: christian.chautems@swisscom.com
Subject: Clearpass 6.11 CAPPORT - DHCP 114
Hello,
Question for Herman Robers I think
Have you already created a tech document about the CAPPORT implementation on Clearpass 6.11 & AOS Controllers ?
Apart from some slides on the ATM22 NL CPPM 6.11 presentation I haven't found any documentation about this topic.
As I am fighting more and more those days with iPhone Captive Portal detection (with or without CNA) I would like to start evaluation
of the CAPPORT option.
Thanks and kind regards
Christian Chautems