I've accepted this as the solution, with a caveat* I was actually thinking something along these lines last night before I saw your reply. I ended up doing something similar, with the main configuration change being on the ClearPass side as your reply suggests. Rather than simply checking against the MAC registration database and passing an accept or reject, I added an enforcement profile which states if the MAC is in the database to simply pass an access-accept, but if the MAC is not in the database then still pass the access-accept but with a user role of Onboarding-Logon. I then created an Onboarding-Logon group policy in Meraki so I can lock down a device that gets on this way, so it can't just use it as free unauthenticated access to the network. Unfortunately since this would be a mixed environment until all of our Aruba equipment reaches end of life, it has to operate the same for the end user, so WPN will not work for us (yet). Thank you for the suggestion, this is just another reason I like Meraki better than Aruba!
... View more
