Hi All
I'm trying to work around the situation where a Clearpass onboarded certificate has become revoked or has expired. Is there anyway of creating a role which forces onboarded devices with a revoked or expired certificate to a reprovision page?
I've read the following which describes sending emails to the user for the x number of weeks leading up to certificate expiry which is something we will implement however the customer has some departmental devices with a generic accounts so the end user does not get the notification email.
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Handling-certificate-expiration/td-p/93548/highlight/true
Also some devices hide in drawers for weeks on end and the certificate gets revoked through inactivity. We're reluctant to increase the inactivity period as this will have an impact on the Onboard licensing count.
I had created a test enforcement policy whereby if the outer authentication method was TLS and the auth status failed to return a pre-provisioning profile. I can see the Radius Response in the Access Tracker returning this role though I suspect that as the Login Status is REJECT this is preventing this from being sent to the controller.
Is the only alternative, when dealing with Apple smart devices, to manually delete the profiles and reprovision?
Many thanks
Mark