Q:
Clients are skipping MAC auth when connected to open SSID configured with MAC authentication.
A: In this scenario, clients are connecting to open system SSID configured for MAC Authentication.
The following sequence of steps occur in this setup:
1.If the mac-address of user is added in the internal database of controller prior to connecting it to the wireless network, the authentication will work fine.
2.In case we connect a user whose mac-address if not part of internal database, it will fail mac-authentication as expected.
Now, if the mac-address is added in the database & we try to reconnect the device, it still gets stuck & will never pass mac-authentication.
May 25 02:13:21 station-down * 00:1e:65:71:1f:44 24:de:c6:26:1f:b0 - -
May 25 04:34:07 mac-auth-skip * 00:1e:65:71:1f:44 24:de:c6:26:1f:b0 - - no registration-------->We can see the mac-auth-skip message
This is due to the fact that "registration-role" knob is not enabled in the role mapped to initial role field in the AAA profile.
registration-role Mark as Registation Role to not cache layer2 auth
status. Use only with Open-system Opmode
We will cache the mac auth status if it fails or succeeds. To query the auth-server for the mac address, we need to enable registration-role knob in initial role.
We will see the following logs post enabling the knob.
Eg: Lets assume the initial role mapped to the AAA profile is "logon"
(Aruba) (config) #user-role logon
(Aruba) (config-role) #registration-role
(Aruba) (config-role) #!
(Aruba) (config) #write memory
Auth Trace Buffer
-----------------
May 25 04:34:07 mac-auth-skip * 00:1e:65:71:1f:44 24:de:c6:26:1f:b0 - - no registration
May 25 04:34:07 station-up * 00:1e:65:71:1f:44 24:de:c6:26:1f:b0 - - open system
May 25 04:34:52 station-down * 00:1e:65:71:1f:44 24:de:c6:26:1f:b0 - -
May 25 04:35:17 mac-auth-req -> 00:1e:65:71:1f:44 24:de:c6:26:1f:b0 - -------------------->We can see the mac-auth request being generated
May 25 04:35:17 mac-auth-success <- 00:1e:65:71:1f:44 24:de:c6:26:1f:b0 - -