This is probably a very niche use case, but wondering if anyone else is using MAC re-authentication with ClearPass and firewall REST API's.
I've recently implemented mPSK for our IoT devices using CCPM and our AOS 8 Mobility Conductor managed network and it's working great.
As a next step, I'm wanting to use ClearPass to send the username and group of the device to our firewall to do role based firewall rules and put the device name in the logs. This works fine using the firewall's REST API. The sticking point is the session timeout. I want to add a session timeout on the firewall so IP <> Device mappings don't exist forever should the accounting stop packet get lost somewhere. The problem is IoT devices tend to stay connected forever, (like mobile point of sale terminals that are always on and just move around the building but never losing signal).
To combat this, I've enabled re-authentication on the MAC Auth profile on the controllers and I can see this is successfully working in the ClearPass Access Tracker.
Unfortunately the controller carries on updating the original accounting session so ClearPass doesn't send an update to the firewall API as it would only do that if a new accounting session was created. This results in the session timing out on the firewall and the identity based rules no longer applying.
I've worked with ClearPass TAC which found the issue about the accounting info not being sent from the controller and am working with the AOS TAC on the issue now but wanted to check if anyone else has attempted this type of setup before.
The only way to get around this at the moment seems to be to disable the identity session timeout on the firewall, or up it to a sufficiently long time, like 1 month.
Anyone got any ideas??