Hello Herman,
Thank you for your time and always helpful and clarifying explanations!
Between my question and your response I have come up with this working process that hinges on the device not being completely added to the Endpoint Repository. I will also work on the redirect approach you detailed which would potentially negate the need for some of this configuration.
Below is the working configuration I came up with to provide port bounce to Operator Login Device Registration clients. Please look this over and let me know if you see any issues with this approach:
port-access role Dorm-CaptivePortal
associate captive-portal-profile GU_Dorm_Ethernet
associate policy captive-portal-policy
reauth-period 10
aaa authentication port-access captive-portal-profile Dorm-CaptivePortal
url https://npm/guest/auth_login.php
port-access role Dorm-CaptivePortal
associate captive-portal-profile Dorm-CaptivePortal
associate policy captive-portal-policy
reauth-period 10
vlan access name ZagReg
port-access role Dorm-Intermediate
associate policy any
reauth-period 10
vlan access name Student
port-access role Dorm-Access
associate policy any
reauth-period 3600
vlan access name Student
interface 1/1/1
no shutdown
mtu 9198
no routing
vlan access 555
loop-protect
port-access fallback-role Dorm-CaptivePortal
port-access onboarding-method concurrent enable
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enable
client track ip enable
client track ip update-interval 300
On the router, the Student VLAN has "ip helper-address" pointing to ClearPass in addition to the DHCP server.
The ZagReg VLAN does not have the same IP helper.
Scenario:
Client plugs in and fails mac-auth and fallback happens allowing device to grab IP from 555 network which is routed on the firewall and only allowed to ClearPass and DNS.
show port-access clients
c 1/1/3 50:7b:9d:37:25:93 Success Dorm-CaptivePortal, Fallback
Foley-TEST(config)# show client ip
50:7b:9d:37:25:93 1/1/3 555 10.55.0.13
Captive portal is presented, login is completed and device is registered.
Enforcement profile condition 2: Dorm-Intermediate Role sent to switch assigning Student VLAN but port bounce does not trigger for some reason the first time so client retains CapPort IP addressing. Endpoint repository has MAC but not device category information from IP-helper. Reauth set to 10seconds for this role forcing the same service to trigger again finally resulting in port bounce.
Foley-TEST(config)# show port-access clients
c 1/1/3 50:7b:9d:37:25:93 mac-auth Success Dorm-Intermediate
Foley-TEST(config)# show client ip
50:7b:9d:37:25:93 1/1/3 156 10.55.0.13
Port-Bounce causes DHCP renew on Student VLAN resulting in the device category info being sent to ClearPass from IP-Helper. This triggers enforcement profile condition 1 and the Doorm Access role to be sent to the switch which is configured for 3600 second reauth without port-bounce.
Foley-TEST(config)# show port-access clients
c 1/1/3 50:7b:9d:37:25:93 mac-auth Success Dorm-Access
Foley-TEST(config)# show client ip
50:7b:9d:37:25:93 1/1/3 156 147.222.156.117
Thanks!