Afternoon all!
<I'm new to both Aruba wireless and Clearpass so apologies up front for the ignorance here...>
I'm nearing completion of a new wireless/Clearpass deployment and I'm trying to figure out the best way to dump and blacklist a wireless device for an indefinite amount of time, regardless of which network/SSID it's currently connected to. Use case: Misbehaving or compromised device (or whatever other related reason where we might need to surgically, but immediately, dump and block a client).
I naively just assumed that I could hop into the endpoint repository and blacklist it there. But that doesn't appear to be an option.
Skimming both Clearpass and AOS 8.x docs and these forums, it seems I have a number of potential options I could use here. From temporarily blacklisting at the controller(s) (or MM?--not sure exactly how that works exactly--wasn't entirely clear in ver 8; no GUI option?), to potentially blacklisting at Clearpass, to moving the machine object into a designated AD group and building an enforcement profile around that, to building an external server profile and blacklisting through controller APIs (which seemed convoluted). Static host list? CoA? Or possibly other much more creative options.
So I'm a bit flummoxed on what may be the 'best' way to accomplish my ends. Typically, dumping a client would normally be handled by our service desk personnel so, ideally, the method would be dead simple. Certainly not a hard requirement but, for example, they don't currently have access to the controller/MM CLI (and they haven't yet been trained on that gear) so I'd be leery of giving them such access at this point in time. They do have 'Help Desk' level access to ClearPass so I was hoping there was a way to handle it there with minimal fuss but nothing obvious is jumping out at me.
Setup: 7205 controllers + (2) MM + Clearpass + AD
(We also have Airwave FWIW but it's not been fully setup yet...)
Has anyone had to solve this particular need? Many thanks in advance for the guidance!