I've found a few very good tutorials on setting up offloading the RAP whitelist to Clearpass for onboarding new RAPs, but one thing that's not clear to me is if that's a one-shot, first time deal, or are the RAPs reauthenticated periodically? Basically, I'm looking to start deploying some RAPs to end users in the nearish future, and have an eye on what the offboarding process will look like. If I could can an entry in Clearpass and have it also get deauthenticated from the controllers, that would be a big win. (Bonus points if I could associate an AD account with each RAP, and have it's whitelist entry withdrawn when the AD account gets terminated!)