Security

Hello,

we deployed a Guest Access Wireless LAN with an Captive Portal where users authenticate against M365 Accounts and a second service using a defined time range to skip captive portal authentication via MAC CACHING. 

Therefore the Endpoint has to be marked as "KNOWN" to make sure the user has to perform the Captive Portal Authentication with his device first. 

Now customers report that the MAC CACHING doesn´t work proberly. 

We discovered the issue that not all Endpoints has the Updated Status. We can´t find a problem in our Services. The Enforcement Policy in the Captive Portal Service is chosen correctly and the system defined profile [Update Endpoint Known] is applied. 

Did anyone encounter a similiar problem or has a clue/hint where to track if the Status Update was performed correct.

Best Regards 

-------------------------------------------

In order to do MAC Caching, it's not needed to change the endpoint status to known. If you use the [Allow ALL MAC Auth] method, any MAC address passes authentication, and you can in the policy decide what role/policy to return or even reject the authentication.

If the [Update Endpoint Known] is performed, and there is a MAC address known in Access Tracker for the request where you apply the update profile, it should update. If you use the WEBAUTH, it may be that the client's MAC address is not available depending on the exact configuration of your workflow, and you may use the RADIUS request which has the client MAC to update the endpoint.

Should be possible to resolve this, step by step go through, and find where the issue is. If you are not familiar with ClearPass, it may be best to work with your partner or TAC for fastest resolution.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Mar 26, 2026 09:43 AM
From: hertelfa
Subject: Clearpass Endpoint Status Update Not working in all cases

Hello,

we deployed a Guest Access Wireless LAN with an Captive Portal where users authenticate against M365 Accounts and a second service using a defined time range to skip captive portal authentication via MAC CACHING. 

Therefore the Endpoint has to be marked as "KNOWN" to make sure the user has to perform the Captive Portal Authentication with his device first. 

Now customers report that the MAC CACHING doesn´t work proberly. 

We discovered the issue that not all Endpoints has the Updated Status. We can´t find a problem in our Services. The Enforcement Policy in the Captive Portal Service is chosen correctly and the system defined profile [Update Endpoint Known] is applied. 

Did anyone encounter a similiar problem or has a clue/hint where to track if the Status Update was performed correct.

Best Regards 

-------------------------------------------