You may need to include a certain delay between the receipt page and the login. Especially if you work on a subscriber, the account is created on the publisher, then synced to the subscriber and only after a few seconds it's available. Without the full access trackers it's hard to find a resolution, but if you see in the Access Tracker the correct username, but the User not Found for the Guest User Repository Does it work if you try the same credentials half a minute later?
In the self registration flow, there should be a Login Delay setting, which is 0 seconds by default and you can try to set that to 5 or 10 seconds.
If that doesn't help, it may be best to work with your partner or Aruba Support as you would need to see each step in Access Tracker and depending on what can be seen there go deeper or test other things.
This video shows the basic steps of Guest Access, in case that helps.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Dec 21, 2022 08:18 AM
From: Adam Newson
Subject: ClearPass Guest - Self Registration
We're currently adding email self registrations for guests as an authentication option. It is working to a certain extent, in that users are able to register their email address (using guest_register form) and are given a 10 minute window of access before they have verified their account via an email notification. Once that is confirmed the user has full access.
However, this process is currently quite manual. After the user has entered their email, they have to select a 'log in' button (found on the guest_register_receipt form) before they are given the 10 minute grace period before they are disconnected (if they do not verify their email address using the notification). This works and clients are able to get access to the network.
We have a mechanism in place to skip the receipt page and 'log in' automatically - this is to make the process smoother from a UX perspective. This is not currently working and users are receiving an 'access denied' error message upon entering their email address. The following errors appear in the access tracker for the matched service:
RADIUS | [Guest User Repository] - localhost: User not found. PAP: SSO Token verification failed |
Happy to share more information regarding the configuration of self reg if required/ or if more context is needed.