Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
Sometimes customers want to enforce that only registered MAC address can pass the 802.1x authentication. However, enabling both MAC address authentication and 802.1x authentication does not work as expected.
The reason is mainly due to the fact that EAPoL is not blocked even if the user fails the MAC address authentication, as a result, 802.1x authentication will always take place.
To enforce that only registered MAC address can pass the 802.1x authentication, proper RADIUS authentication access policy must be used to configure additional checking on the "Calling-Station-Id" attribute in the remote access policy. By default, ArubaOS sends the RADIUS access request with the client's MAC address in the "Calling-Station-Id" attribute field with the format "aabbccddeeff".
This example shows that only client MAC address 00:11:22:33:44:55 or 00:22:33:44:55:66 are allowed to authenticate.
The advantage of this approach is that it is easier for the administrator to control and support the following scenarios at the same time:
- A username can only authenticate from one MAC address.
- A group of usernames can only authenticate from a group of MAC addresses.
- Some usernames can authenticate from any MAC address.
Note: If you are using EAP-termination on the ArubaOS, there is a bug in ArubaOS versions before 18.104.22.168 that the Calling-Station-Id attribute is not included in the RADIUS access request.