Tim,
I don't see how account creation and login works with server initiated. Lets take your flow from ealier and modify it for Self account creation and login.
---------------------------------------------------------------------------------------------------------------------------------------------------
Client connects > switch sends MAC-auth > ClearPass sends back a captive portal URL and ACL name
Client is redirected, creates guest account via CP Guest portal > CPG triggers a CoA to the switch > client is disconnected > Mac auth happens again and they end up at the same portal
------------------------------------------------------------------------------------------------------------------------------------------------
You see, since we did not register them there is nothing to trigger a different mac auth option. So lets add add a "login" link on the same portal.
Now they can login with the created account, the login gets authenticated in clearpass but there are two issues. SInce no endpoint did the webauth, clearpass can not distingush the request. Since no endpoint did the webauth clearpass can not pass back a dfferent vlan or acl. You need some endpoint to do the webauth. How it woks on the wireless side is this.
----------------------------------------------------------------------------------------------------------------------------------------------------
Client connects > switch sends MAC-auth > ClearPass sends back a captive portal URL and ACL name
Client is redirected, creates account on CP Guest portal > CPG triggers client to webauth with controller > controler does webauth and is handed a new role from clearpass.
You can have a redirect url point them at the login page and they can login. But the request does not come from a