Security

We are working on an implementation that consists of Clearpass (with OnGuard) and Meraki wireless. We are having issues with clients roaming between Meraki AP's and re-authenticating.  When clients are roaming between AP's, they are re-authenticating against Clearpass.  The issue we are experiencing is if the OnGuard posture status cache has expired (which happens after 5 minutes) then the client will connect and the posture be seen as "unknown" which then places the client on the Quarantine VLAN until a new "Healthy" assessment is reported by the Agent.  When that happens, Clearpass will send down a Meraki-Terminate-Session which then pushes another re-authentication and places the client in the correct VLAN.  We have a TAC case open but the TAC engineer said this is expected.  Our customer is not accepting this as all wireless connections should be seamless when roaming (which I agree).  Is there a better way to accomplish seamless roaming when utilizing OnGuard with Meraki wireless?  Thank you!  

What kind of roaming settings do you have enabled on the Meraki WLAN? 

We are working on an implementation that consists of Clearpass (with OnGuard) and Meraki wireless. We are having issues with clients roaming between Meraki AP's and re-authenticating.  When clients are roaming between AP's, they are re-authenticating against Clearpass.  The issue we are experiencing is if the OnGuard posture status cache has expired (which happens after 5 minutes) then the client will connect and the posture be seen as "unknown" which then places the client on the Quarantine VLAN until a new "Healthy" assessment is reported by the Agent.  When that happens, Clearpass will send down a Meraki-Terminate-Session which then pushes another re-authentication and places the client in the correct VLAN.  We have a TAC case open but the TAC engineer said this is expected.  Our customer is not accepting this as all wireless connections should be seamless when roaming (which I agree).  Is there a better way to accomplish seamless roaming when utilizing OnGuard with Meraki wireless?  Thank you!  

We are working on an implementation that consists of Clearpass (with OnGuard) and Meraki wireless. We are having issues with clients roaming between Meraki AP's and re-authenticating.  When clients are roaming between AP's, they are re-authenticating against Clearpass.  The issue we are experiencing is if the OnGuard posture status cache has expired (which happens after 5 minutes) then the client will connect and the posture be seen as "unknown" which then places the client on the Quarantine VLAN until a new "Healthy" assessment is reported by the Agent.  When that happens, Clearpass will send down a Meraki-Terminate-Session which then pushes another re-authentication and places the client in the correct VLAN.  We have a TAC case open but the TAC engineer said this is expected.  Our customer is not accepting this as all wireless connections should be seamless when roaming (which I agree).  Is there a better way to accomplish seamless roaming when utilizing OnGuard with Meraki wireless?  Thank you!  

You can change the Posture Cache timeout under Service Configuration, Service Parameters, ClearPass Network Services, to value that does work:

Or play with the OnGuard keepalive and Check Interval settings (under Global Agent Settings).

I agree that on a roam the client should not go through a full reauthentication, which may be a misconfiguration in the WLAN settings.

We are working on an implementation that consists of Clearpass (with OnGuard) and Meraki wireless. We are having issues with clients roaming between Meraki AP's and re-authenticating.  When clients are roaming between AP's, they are re-authenticating against Clearpass.  The issue we are experiencing is if the OnGuard posture status cache has expired (which happens after 5 minutes) then the client will connect and the posture be seen as "unknown" which then places the client on the Quarantine VLAN until a new "Healthy" assessment is reported by the Agent.  When that happens, Clearpass will send down a Meraki-Terminate-Session which then pushes another re-authentication and places the client in the correct VLAN.  We have a TAC case open but the TAC engineer said this is expected.  Our customer is not accepting this as all wireless connections should be seamless when roaming (which I agree).  Is there a better way to accomplish seamless roaming when utilizing OnGuard with Meraki wireless?  Thank you!