Community Feedback

We are in our first year of using ClearPass and recently rolled out a community portal to allow students to add their devices by MAC address in order to receive a PSK for devices that do not accept the other method of authentication we use.  I noticed that if I registered a device while in one account role and then changed my account role, I could no longer see the device, yet it could still connect.  Below I have a more in-depth look at how we arrived at this, and I am trying to determine if there is a configuration that would allow a user, regardless of Account Role, to see all of the devices previously registered by the user?  

Scenario:

• -Account Role is set to current year of college (Freshman, Sophomore, etc) and we use this to divide up students by VLAN
• -An AD security group matches each role and membership is controlled by moving the AD account to the appropriate security group.
• -User, while in the role of Freshman creates a device entry for connecting, and a PSK is generated.
• -User completes Freshman year, returns later for Sophomore year
• -AD Security Group membership is updated to Sophomore
• -User logs into ClearPass portal and cannot see the device(s) created during Freshman year
• -Admin can see devices in Manage Devices and that the Account Role = Freshman
• -Move student to Freshman in AD, student can see devices

Could it be that you have different Operator Profiles? More specific, have a look at the Operator Filter:
... which can filter to show only devices created with the same Operator Profile with another setting. If you switch operator profile, that may make the devices invislble.

You may change the setup to a single operator profile (given all students can just have one device type, or have the same set of devices), then do your authorization/VLAN assignments through an AD lookup against the sponsor name. This setup can be a bit hard if you have not done it before.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 22, 2022 11:30 AM
From: Brandon Curry
Subject: ClearPass Device registration User Group change

We are in our first year of using ClearPass and recently rolled out a community portal to allow students to add their devices by MAC address in order to receive a PSK for devices that do not accept the other method of authentication we use.  I noticed that if I registered a device while in one account role and then changed my account role, I could no longer see the device, yet it could still connect.  Below I have a more in-depth look at how we arrived at this, and I am trying to determine if there is a configuration that would allow a user, regardless of Account Role, to see all of the devices previously registered by the user?  

Scenario:

• -Account Role is set to current year of college (Freshman, Sophomore, etc) and we use this to divide up students by VLAN
• -An AD security group matches each role and membership is controlled by moving the AD account to the appropriate security group.
• -User, while in the role of Freshman creates a device entry for connecting, and a PSK is generated.
• -User completes Freshman year, returns later for Sophomore year
• -AD Security Group membership is updated to Sophomore
• -User logs into ClearPass portal and cannot see the device(s) created during Freshman year
• -Admin can see devices in Manage Devices and that the Account Role = Freshman
• -Move student to Freshman in AD, student can see devices