I have been able to get a self registration working for IOT devices where there is not a captive portal using a COA to another VLAN (666). However, when I disable that registred device, it kicks it off of the VLAN666 but the device still has an IP Address showing and it can still browse the internet. However, when I forget the network and then try and reconnect, I see the expected behavior again.
It seems that I am missing a role communication with the controller. Thoughts? Attached are my clearpass enforcements.