What you can do is use a WebAuth captive portal login to trigger a Change-of-Authorization for the user, which disconnects the user from the network and forces a re-authentication.
What is the authentication on the SSID itself? Open/WPAx-PSK/WPAx-Enterprise?
Another option may be to return a very short 'IETF:Session-Timeout', like 60 or 120 (seconds), which triggers a reauthentication on the controller/AP.
If your question is still not answered, please share more information about your SSID configuration, Services created in ClearPass, where/how you administer the user roles, if that is done based on MAC address or user authentication, etc.. The workflow is important in this. If you don't want to share the workflow publicly, please contact your Aruba partner or Aruba support.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 31, 2022 02:37 PM
From: Jessica Tait
Subject: Clearpass Caching Auths
Hello, I need to know how to limit caching of authentication attempts for certain user roles in Clearpass. I have a network where if the user is denied access, they are sent to a captive portal page which instructs them how to gain access. The problem is, once they gain access, they are not reauthing to the SSID, so they aren't getting their new role.
For example, the user connects at 10:30am and gets put into the unregistered role. They follow the steps to register their computer and try to connect again at 11:00am. They are still stuck in the unregistered role at that time. When I look at the access tracker, I have a log for the 10:30am auth, but nothing for the attempt at 11am. They will not get the new registered role until the reauth.
Any idea how I can make sure that every time a device tries to connect with a certain role, their authentications are not cached until they get a registered role?
Thanks for your help!