Security

I have a very unique situation in our enviroment. We integrate our Juniper WLCs to Clearpass for guest wireless. Our system is setup exactly like this link. Juniper WLC Clearpass Integration 

Unfortunately what ends up happening is we get alot of "null" requests to the SSIDs. For instance when a client connects to the SSID initially, then there is a mac auth sent to Clearpass to create an entry in the Clearpass DB for this client. This rule is setup as an accept all mac auth to build the entry. Regardless of whether or not the client actually logs into the network then we end up burning a license. I am looking for ways to limit how often the same client can perform a MAC auth. I am exploring options on the Juniper side, but wanted to check with the Clearpass community to see if anyones ran across this before. I appreciate any info that anyone has regarding this!

The rule of thumb is that as soon as you have a successful authentication, ClearPass counts that device against the appliance capacity. So if you don't want it to authenticate, you can use the [MAC AUTH] method, instead of [Allow All MAC AUTH] to only authenticated devices that are set to known in the Endpoint Database. To implement MAC Caching, you can on successful authentication in the Web portal set the endpoint status to known. 

You can do that with the [Updated Endpoint Known] Enforcement profile that looks like this:

The standard wizard for a Guest with MAC Caching does a lot of this for you, if you need more insight, run the wizard (on a lab/test box; or delete what you don't need afterwards) to see what it creates.