Finally got some time to continue with this. The video's definitely helped => created a few new services in Clearpass and those were apparently a part of the puzzle :-)
We got a big step forward, it's almost working as it should now! The most important changes done:
- pre-auth set to "none" instead of radius
- at login > Address ==> instead of our captive portal URL, configured the default again: securelogin.arubanetworks.com
==> with these 2 the whole login kind of worked already
- in service WS_Guest_Wireless MAC Authentication: enforcement of line 2 (matches ANY) put on Deny instead of accept => to redirect expired accounts again to the the registration page.
Now we have 2 small issues left:
1) a new user needs to click "login" twice before it works for him. I would like to get it working after clicking login once.
2) there's a temporary redirect during the pre-authentication towards https://securelogin.arubanetworks.com. The user needs to click "continue anyway" in the browser to be able to continue in the authentication process. How can we "remove" this extra user action from the process?
Thanks in advance!
-------------------------------------------
Original Message:
Sent: Mar 19, 2026 10:35 AM
From: bramdh
Subject: Guest role pushing on Airwave managed APs through Clearpass
Hi Pavan,
we use IAP's and the role does not change on any moment, I followed up in the CLI of the AP where the test device was connected on.
We also don't use ACL's on the AP, so those should not be a problem.
Original Message:
Sent: Mar 18, 2026 03:33 PM
From: Pavan Arshewar
Subject: Guest role pushing on Airwave managed APs through Clearpass
It appears that the configuration is being managed from AirWave, so the issue needs to be checked on the NAD device. Please verify whether the user role changes on the controller after the access success message from ClearPass. If there is no role change, this indicates an issue with either RADIUS CoA (confirm that CoA is enabled in the enforcement profile) or improperly configured ACL rules in the controller's AP profile.
------------------------------
Pavan Arshewar
Technical Lead Aruba ERT
If my post addresses your query, give kudos!
Note: Please note that the views, opinions, and statements expressed are solely my own and are provided in my personal capacity. They do not represent, reflect, or bind the Aruba HPE Networking in any manner.
Original Message:
Sent: Mar 18, 2026 05:28 AM
From: bramdh
Subject: Guest role pushing on Airwave managed APs through Clearpass
Hi,
we are working on a self registration guest setup. The idea is: the guest fills in his/her email address and accepts the terms & conditions, clicks register and receives a generated password that is valid for 1 day. With this account that person should have internet access.
Where we are now: the setup guest can connect to this SSID, gets the captive portal asking for email address etc, gets the generated password, but after that we are in a loop registering again. There's also an option to sign in if the credentials are there already, but also when trying this, we arrive in the same loop where it asks for the email address etc again.
In Clearpass I see the user is accepted and the enforcement profile is pushed, but on the AP (managed by Airwave), the role doesn't change.
Below you can find a screenshot of the Airwave config we currently have.
Can somebody help us with some inspiration that could help us in getting this working, please? :-)
Thanks in advance!
-------------------------------------------