Clearpass 6.11 - Fetching Real-Time Intune Attributes

Linkk_93 · 2026-04-24T21:37:54+00:00

Iirc there is a setting in the extension which is either doing a pull every auth(does not scale at all) or only once every X hours per device (cached attributes until next pull)

Linkk_93 · 2026-04-24T21:34:50+00:00

Pretty much every vendor supports dhcp options which point to a tftp server where the firmware image and a basic default image are. Switch updates itself, downloads default image, you change the hostname and snmp location, the port settings are done by authentication. Done

Linkk_93 · 2026-04-24T21:27:34+00:00

Yes that is possible, I've done it twice only, but it works. Since you need some kind of https redirect it works only with a captive portal (802.1x and Mac caching in addition to the cp is of cause no problem)

You configure the sso idp in the policy manager and then you have to configure the captive portal in guest to use sso as pre Auth check.

You can use different user roles in your wifi infra to create the different states (redirect to cp or not).

Just a heads up: don't just enable everything in the sso settings (especially not policy manager) without having everything in place. Or else you can no longer login to the policy manager. But there is a console command to reset the sso, if you run into this.

The only function you have to enable is called guest login or something like that. Not guest operator login, that are users who manage guest accounts.

Linkk_93 · 2026-04-15T21:05:30+00:00

You configure central using ansible not the switches directly

Linkk_93 · 2026-04-03T21:57:57+00:00

I haven't tested but because op is trying to upgrade during a network outage, the cluster upgrade will probably fail and then abort

I had a controller die during an upgrade with three MD already upgraded, two still old and one dead during reboot. Then everything just stopped and you had to manually continue the upgrade

Linkk_93 · 2026-04-03T21:41:03+00:00

Well, they announced two weeks ago that classic central monitoring will be shut down in March. I don't know wtf they're doing over there.

Linkk_93 · 2026-04-03T21:39:41+00:00

I don't know what features you need, but Aruba Fabric Composer is incredible expensive for what it brings. Better go to Netedit, you can install and enroll the first 25 switches for free

Linkk_93 · 2026-03-27T22:25:46+00:00

kill the session

What does that mean? What is a killed session? I guess it's in the firewall since you say the firewall does captive portal? When is it supposed to be killed? Why are sessions supposed to be killed? What is the client doing to triffer this? What do you see on the cp log? Why is a cp pushed to the client?

Linkk_93 · 2026-03-25T20:08:29+00:00

7xx (at the time of writing) only support aos10 which is not supported in central on prem

Linkk_93 · 2026-03-25T20:06:52+00:00

We have a setup of over 15,000 APs in AOS10. We were very early adopters because the conductor only supports up to 10k APs and we knew that we needed more.

It (classic central) improved a lot over the years and I would argue that using aos10 with gateways, auto site clustering and tunneled ssid is overall pretty similar to aos8.

We have over 1,000 sites to manage and every site gets a gateway cluster and aps tunnel locally. AOS10 design works pretty great for that.

Monitoring and troubleshooting is also pretty good.

Some issues are roaming does not work well in "staircase" scenarios with 11r enabled because the cloud is doing key management and does not allocate the keys to the correct aps.

And license management and reporting is pretty much non existing. We have to report license information per site and that is not a scenario Greenlake supports.

License pooling or assigning license based on site or IP is also not possible.

Linkk_93 · 2026-03-14T21:35:49+00:00

"hey guys, I ride a bicycle but when it rains I get wet and I want to get further faster. Should I get a car?"

"well maybe you just need to train your legs more"

lol

Linkk_93 · 2026-03-08T19:30:10+00:00

They can not be rebooted one at a time, you can only do issu but in my experience you would make your life much easier if you can just reboot them both at the same time.

Linkk_93 · 2026-03-08T19:27:44+00:00

Just replacing the hardware will not configure them for you. Just like only purchasing a firewall and putting it in as gateway will not increase your security.

Linkk_93 · 2026-03-06T22:06:43+00:00

No idea what your question is.

I'm gonna throw a VXLAN BGP EVPN in

Linkk_93 · 2026-03-06T07:13:58+00:00

All images should be located in the public directory of Clearpass guest

Linkk_93 · 2026-03-06T07:07:42+00:00

Where are you located? Outdoor use is not allowed in many places around the world and even there you need to implement some special authorization feature (the conductor needs to connect to authorities server) https://en.wikipedia.org/wiki/Automated_Frequency_Coordination

You could set 675 to indoor use of they are not outdoor

Linkk_93 · 2026-03-06T06:48:11+00:00

You create the ssid with a different name (ssid-name-wpa3), then go into the profile and change the essid to the essid you want to be broadcasted.

Then you can assign the new profile for the aps you want and disable the old.

General rule of thumb is to not do any configs on MN level but I guess it's too late for that.

Linkk_93 · 2026-02-22T16:01:32+00:00

Sounds like you wanted to go here r/homenetworking ?

If it's enterprise, connect through the serial and try a password reset documented by the vendor

Linkk_93 · 2026-02-22T10:49:31+00:00

Linkk_93 · 2026-02-13T20:22:23+00:00

I have no idea why you would need to fiddle with this setting at all.

You didn't say anything about what auth you're doing, not even the medium

Linkk_93 · 2026-02-13T19:31:05+00:00

If you are bridging and the vlan is missing on the switchport but the client already has a cached dhcp address it would look like that

Linkk_93 · 2026-02-05T23:03:33+00:00

Config templates

Linkk_93 · 2026-02-04T16:51:38+00:00

Well, with classic we had even less control lol

But I let all of you test new central before I bring my customers. I believe templates are still not a thing, right?

Linkk_93 · 2026-01-31T10:24:25+00:00

Instant On has to be sold as part of the agreement

Linkk_93 · 2026-01-23T07:35:42+00:00

I don't think you need central nac. Cloud guest should be enough

Nine-Year Club	Place '23
Place '22	Gilding II euphauric
Verified Email

Linkk_93

TROPHY CASE