I'm working on booting employees from my guest network so that they connect to the 802.1x network.
The guest network is open with self registration.
My plan was to use a SHL in CPPM and assign a different role that would send them to a captive portal with a nice message. It worked...half way. During the initial MAC Auth, CPPM would send back a RADIUS REJECT and a Aruba-User-Role that I wanted, but the controller keeps putting the client into the initial group. I also tried a CoA enforcement profile, but that didn't seem to help.
The more I think about it, there isn't a way to do what I want in this way right? Because the client isn't authenticated yet, it is ALWAYS going to get the initial role from the AAA profile. Is there a way to force this, or am I going about it wrong?
(Note: I did find that if I created a guest device account and assigned the 'banned-guest-role' it does work as desired, I just figured a SHL would be easier to manage)
Thanks!