Sorry for the confusion.
Workflow:
- User connects to SSID, signs in using 802.1x cached credentials, is dropped in to default authenticated role
- Forescout determines user's device is not running required software
- Forescout tells Aruba to block user's device and redirect to captive portal
- User's web browser auto opens to present captive portal page to download the software
- User installs software
- Forescout determines user is remediated and tells controllers (or Clearpass) to unblock the user
Workflow only applies to specific users identified by Forescout. Options to take action are:
- Forescout sends WLAN role change to Aruba controller directly. This works fine. User gets dropped into L3 captive portal role with redirect. But user has to manually open web browser to get the message.
- Forescout sends webapi call to Clearpass to perform 802.1x CoA into new role. Haven't tried this but assume same outcome as above.