Frequent Contributor I

Guest with MAC Caching - endpoint not deleted



I have a customer with clearpass guest with Mac Caching. When user account expires, the endpoint is still present in Clearpass - so the next time the guest logs in - the guest user is expired, but endpoint still present so the guest is MAC authenticated, but since guest user account is disabled station is still in network not getting an IP, rather than being redirected to captive portal. 


Shouldn't endpoint be deleted when cache and guest user account expires? 

Re: Guest with MAC Caching - endpoint not deleted

The MAC address won’t be deleted from the endpoint DB and it shouldn’t impact the decision to redirect the user but it depends on how you have your enforcement policy.

Can you share your role mapping and enforcement policy?

Thank you

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
Frequent Contributor I

Re: Guest with MAC Caching - endpoint not deleted



thanks for getting back to me. Just had a session going through the setup on Clearpass and there a couple of things. And - you're correct - some of it originated from Enforcement Profile.


1. the MAC auth enforcement policy was correct, apart from that ROLE MAPPING for guest had an enforcement profile giving the station an non-existing Aruba User Role - so the aruba role giving Captive Portal access wasn't added and user was placed in a default user role with no CP


2. When that was fixed we noticed that the initial role in Aruba Controller had the wrong CP Profile added - wizard had changed this; so default guest user role was added rather than the customized guest role


WIth those two tweaks - it worked

lessons learned


thank you

Re: Guest with MAC Caching - endpoint not deleted

I think Aruba expects you would use the Known Endpoints Cleanup to remove those records. The interval is based on when the Known Endpoint record was last modified.


We cannot currently do that so I made a REST API script that I run manually to cleanup old Guest Endpoints. It checks all Known Endpoints. If there is a Guest-Role-ID attribute, it checks to see of the Guest Account exists. If the Guest Account does not exist, it deletes the Endpoint.

Bruce Osborne - Wireless Engineer

All opinions written here are my own and do not necessarily reflect the views and opinions of my employer or Aruba Networks

Search Airheads
Showing results for 
Search instead for 
Did you mean: