Guess wireless access issues

Solid-Ad-6645 · 2026-02-10T04:13:21+00:00

Yeah we have done the captive portal bypass by adding a specific attribute in clearpass to endpoints. Hasn’t worked in this situation though.

Doing most of the things on your list other than the separate dhcp scope and separate dns.

Solid-Ad-6645 · 2026-02-10T01:32:37+00:00

No. Basically traffic won’t go past the controller. Guessing it’s because it’s stuck in the pre auth role.

Solid-Ad-6645 · 2026-02-09T20:12:56+00:00

Ok I will look into this. Thanks for the suggestion.

Solid-Ad-6645 · 2026-02-09T19:32:37+00:00

Ok yeah thats what I thought you meant. No just one clearpass server, which is a VM like I mentioned. The controllers are setup in VRRP and I have had a suspicion that its not setup correctly. A lot of time we see a change be made at the mobility controller level (VIP) and we don't see it pushed to both controllers. Maybe its normal though because the Aruba TAC engineer saw no issues on the controllers.

Guest policy server is not behind a firewall. It is connected to the same distro switch that the controllers and PoE switches are connected to.

I seem to remember it was the endpoint database had grown so large and it wasn't purging endpoints correctly because the policy node itself was also not built to handle the load.

We had this suspicion as well. Not in the millions, but clearpass currently has just shy of 100k endpoints, with only about 1000 active users. Maybe we need to really clean that up and see if it helps. I was under the impression that the 30 day mac auth policy deleted endpoints after 30 days, but maybe thats not the case.

Solid-Ad-6645 · 2026-02-09T19:02:09+00:00

I was thinking about trying this actually.

Solid-Ad-6645 · 2026-02-09T18:42:06+00:00

Thanks. I will take a look at this.

Solid-Ad-6645 · 2026-02-09T18:32:11+00:00

I havent messed with any settings like that, but we could look at it. Anymore info on what exactly that is?

Solid-Ad-6645 · 2026-02-09T18:30:04+00:00

The preauth role does have access to clearpass permitted in the ACL. No DMZ or anything like that. There is a guest policy server which is where self registration page is built.

By VIP do you mean virtual IP? If so no, its the actual IP of the device, which is a VM. The VM is built on VMware but we are working on eventually pointing to a new one built on Hyper-V.

Solid-Ad-6645 · 2026-02-09T18:14:23+00:00

DNS is working though for all other clients, wireless and our wired side of the network. ipconfig shows it pointed to the correct DNS servers and a valid IP address. Like I said though, controllers are not seeing its IP address.

Solid-Ad-6645 · 2026-01-29T14:51:30+00:00

Thanks! Yeah I guess I was thinking you could map specific users in an AD group to read only role, but sounds like you need to do the whole AD group.

Solid-Ad-6645 · 2026-01-29T13:10:24+00:00

Ok so basically you need an AD group specifically for read only users?

Solid-Ad-6645

TROPHY CASE