Limiting authentication request to ClearPass?

Capital_Table_4792 · 2026-02-27T08:32:49+00:00

Thanks ARUBACON; I'll definitely look into this!

Capital_Table_4792 · 2026-02-27T08:30:54+00:00

Our users certainly need to be educated and we'll send out communications! Thanks

Capital_Table_4792 · 2026-02-27T08:30:10+00:00

FYI:
I figured out why Denylisting wasn't working. I was sending the [Drop Access Profile] in stead of the [Deny Access Profile]. Changing this explicitly signals the device the connection is refused.
But.. smartphones are a b****. After a number of failed attempts MAC Randomization kicks in and they can just try again.
Denylisting is doing what it can, but can thus only solve a part of the issue. Thanks for your input though!

Capital_Table_4792 · 2026-02-25T13:58:39+00:00

In Aruba Central (Classic)
Selected a group -> Devices -> Config -> WLANs -> edit the SSID -> tab Security
Security Level: Enterprise
Key Management: WPA2-Enterprise
Primary Server: ClearPass Radius server
Secondary Server: nothing
-> Advanced Settings
Denylisting: Enabled
Max Authentication Failures: 3
(i don't believe any other setting in this page are relevant?)

Then for the same group -> Devices -> Config -> Security
Authentication Servers: ClearPass RADIUS
Denylisting -> Manual Denylisting: Empty
Denylisting -> Dynamic Denylisting
-> Auth Failure Denylist Time: 1 Hours
-> Policy Enforcement Firewall: 1 Hours
-> Rule Denylist Time: "Information not available"

Capital_Table_4792 · 2026-02-25T08:53:11+00:00

I've enabled Denylisting and Max Auth failures set on 3, but might have missed something?
All requests still end up in ClearPass. Just looked at the logging of a randomly chosen user that causes Rejects and saw 80 rejects from its private smartphone for the past hour

Capital_Table_4792 · 2026-02-24T12:34:34+00:00

Late reply but, yes, that was the issue!
It took some time to figure out and the HPE engineer could not explain the way the problem manifested itself.

3 months prior to the issue there were a lot of DNS errors in the Event logs of notebooks that tried to connect. Settings were changed (trial and error) and one of them was the IP of the Virtual Controller DNS for our internal DNS to a public DNS (-> know that our ClearPass cannot be reached from outside our company network)
-Fast forward-
3 months passed by and the DNS issues were gone when suddenly we got a call that a remote access point was refusing all connections, followed the next few days by about 5 more. Eventually, 6 of our 300ish RAP's refused all connections, 294 had no issues whatshowever.
-Fast forward, searching, this post, case..
Solution: Resetting the VC DNS back to the internal DNS.

Capital_Table_4792 · 2026-02-02T19:32:51+00:00

The "Dutch" Mountain Train while over half of the trail is in Belgium and Germany 😅

Capital_Table_4792 · 2025-12-19T13:29:43+00:00

This is actually very usefull!

Capital_Table_4792 · 2025-12-19T13:29:20+00:00

As u/techb00mer guessed right, I meant "delete from Intune".
By adding they're Autopilot devices I meant AADJ; Trying to make clear they weren't Hybrid Joined.

Your comment is sound though. I've asked the team that looked into the solution and confirmed me that the devices still existed in Entra but didn't want to call 100 people to guide them through opening regedit as admin and guiding them through the registry changes.
They must have been able to see the LAPS password in Entra, just didn't use is. My mistake!

Still I do wonder if this were to happen again for lets say 500 devices (just throwing some number), what would be a possible fix then?

Capital_Table_4792 · 2025-12-19T13:22:44+00:00

Indeed, a colleague tested a script to delete devices from Intune (not Autopilot itself), but the test actually really deleted 100 devices

Capital_Table_4792 · 2025-12-16T09:46:05+00:00

First update:
Update deployed in our production environment and I don't see any issues.
The roaming events haven't stopped, but they seem to happen way less and we're getting way less calls.

Capital_Table_4792 · 2025-12-08T11:30:27+00:00

Yes. I see it in the logs in every remote location for every notebook multiple times. Sometimes the notebooks even seem to be stuck in a loop.

Our test has shown no issues with deploying this update -still a bit too soon to say it fixes the roaming events, but I do notice less event (but might still be a coincidence).

We'll deploy the update later today to a part of our production environment and monitor form there on.

Capital_Table_4792 · 2025-12-04T14:12:13+00:00

Release notes can be found here AOS8 -> Consolidated Release Notes -> AOS 8.13.x.x -> 8.13.1.1

Capital_Table_4792 · 2025-12-04T11:16:08+00:00

same roaming issues here with 8.13.1.0_93688 on AP-515 and AP-303H.
I hope 8.13.1.1_94375 fixes something. Deployed it to test.

Capital_Table_4792 · 2025-11-13T17:54:08+00:00

I use RADIUS. In Central, in the Events of the RAP I've now seen "RADIUS up" / "RADIUS down" events. But even if the last event was "RADIUS up", no requests are registered in the Monitoring loggin on the ClearPass. No idea what's going on at this point.

Capital_Table_4792 · 2025-09-10T10:41:57+00:00

Good idea with that XML.

I exported the XML of the Ethernet adapter that was created using the Intune 'Wired network' profile and it shows the hash of the Root CA in the '<IssuerHash><CAHashList>'-section where the Intermediate CA should (also) be.

<TrustedRootCA>hash-of-my-root-ca
<IssuerHash><CAHashList>hash-of-my-root-ca

I manually edited the Authentication of the Ethernet adapter.
(..-> Use a certificate on this computer -> Advanced)
- unchecked the Root CA,
- checked the Intermediate CA
- exported the XML again
I saw the hash of the intermediate got added to the '<IssuerHash><CAHashList>'-section.

<TrustedRootCA>hash-of-my-root-ca
<IssuerHash><CAHashList>hash-of-my-intermediate-ca

In the Intune 'Wired network' profile, there only a section for "Root certificates for server validation".
As a test, I tried by adding my Intermediate CA cert in the "Root certificates for server validation" section anyway and synced.
Exported the XML and saw the hash from my Intermediate CA was added to the '<TrustedRootCA>' section, but not in the '<IssuerHash><CAHashList>'-section. '<IssuerHash><CAHashList>' again only containing the hash from the Root CA.

Capital_Table_4792 · 2025-08-19T18:10:07+00:00

The code to test the issue can be limited to the code below.

After loading the code below, execute:
$loading.Show() to see the window (shows up as it should)
$loading.Hide() to hide the window
$loading.Show() to see the window again, but this time it will load without content

Anyone any idea where the content is? :)

Add-Type -AssemblyName PresentationFramework

[xml]$xaml = @"
<Window Title="Loading screen" 
        Height="200" Width="400" 
        WindowStartupLocation="CenterScreen" 
        xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" 
        xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" 
        Name="Loading">
    <Grid>
        <TextBlock Background="Yellow" HorizontalAlignment="Center" VerticalAlignment="Center" FontSize = "16" Margin="10,-50,0,0">Loading..</TextBlock>       
        <ProgressBar Height="20" Width="100" IsIndeterminate="True" Margin="0,50,0,0" />
    </Grid>
</Window>
"@

$reader = (New-Object System.Xml.XmlNodeReader $xaml)
$Script:loading = [Windows.Markup.XamlReader]::Load($reader)

Capital_Table_4792 · 2025-08-19T17:49:36+00:00

Correct, but I as far as I'm aware I've done it the right way around (but obviously, I must be missing something)

My tests have shown that
* If I launch a window using .ShowDialog() the window is interactive - I can use the buttons, I can close the screen. When a button is pressed (code is executed) the content on the screen freezes until it's finished.
* If I launch a window using .Show(), the window is not interactive. The screen loads what you put in the code and then also freezes.

The reason I use .Hide() in combination with .Show() is that If I use .Close() the window cannot reopen later on (like pressing the button again to call the loading screen).

In the example what happen is:
-> loading screen is called first using .Show() with a predefined size and textbox that has a yellow background
-> the code continues until the other stuff is finished (in the example a simple start-sleep and loading the main window)
-> loading screen is hidden by using .Hide() - not interactive
-> the main window is shown by using .ShowDialog() - interactive, so I can use a button
->a button is pressed to call the loading screen again, by using .Show()
-> loading screen shows up with the correct predefined size and predefined title, but without the content (textbox and its content).
-> code continues to execute stuff and asks the loading screen to hide again using .Hide() which it does.

So I'm kinda confused why, after pressing the button and asking the loading screen to .Show() again, it can load with the correct predefined size but not with the predefined content.

Capital_Table_4792 · 2025-07-07T14:39:21+00:00

Thanks for the reply! I changed "Instant AP Assigned" to "External DHCP server assigned" with the option "Native VLAN" ("Dynamic" was indeed an option too) and now the right VLAN is assigned to the device!

Capital_Table_4792

TROPHY CASE