That's the thing. MAC Authentication is NOT set up. It's not playing ANY role that I know of. Here is the complete {sanitized} configuration:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2018.06.20 08:35:56 =~=~=~=~=~=~=~=~=~=~=~=
sho run
version 6.5.4.0-6.5.4
virtual-controller-country US
virtual-controller-key 985baa4b011e18df092552c6af3b0e8a86633190c8303b94b6
name {sanitizedHospitalityPropertyInitials}_Wireless
virtual-controller-ip {sanitizedIPAddress}
terminal-access
ntp-server pool.ntp.org
clock timezone none 00 00
rf-band all
allow-new-aps
allowed-ap {sanitizedAP01MAC}
allowed-ap {sanitizedAP02MAC}
allowed-ap {sanitizedAP03MAC}
allowed-ap {sanitizedAP04MAC}
allowed-ap {sanitizedAP05MAC}
allowed-ap {sanitizedAP06MAC}
allowed-ap {sanitizedAP07MAC}
allowed-ap {sanitizedAP08MAC}
allowed-ap {sanitizedAP09MAC}
allowed-ap {sanitizedAP10MAC}
allowed-ap {sanitizedAP11MAC}
allowed-ap {sanitizedAP12MAC}
allowed-ap {sanitizedAP13MAC}
allowed-ap {sanitizedAP14MAC}
allowed-ap {sanitizedAP15MAC}
allowed-ap {sanitizedAP16MAC}
allowed-ap {sanitizedAP17MAC}
allowed-ap {sanitizedAP18MAC}
allowed-ap {sanitizedAP19MAC}
allowed-ap {sanitizedAP20MAC}
allowed-ap {sanitizedAP21MAC}
allowed-ap {sanitizedAP22MAC}
allowed-ap {sanitizedAP23MAC}
allowed-ap {sanitizedAP24MAC}
allowed-ap {sanitizedAP25MAC}
allowed-ap {sanitizedAP26MAC}
allowed-ap {sanitizedAP27MAC}
allowed-ap {sanitizedAP28MAC}
allowed-ap {sanitizedAP29MAC}
allowed-ap {sanitizedAP30MAC}
allowed-ap {sanitizedAP31MAC}
allowed-ap {sanitizedAP32MAC}
allowed-ap {sanitizedAP33MAC}
allowed-ap {sanitizedAP34MAC}
allowed-ap {sanitizedAP35MAC}
allowed-ap {sanitizedAP36MAC}
allowed-ap {sanitizedAP37MAC}
allowed-ap {sanitizedAP38MAC}
allowed-ap {sanitizedAP39MAC}
allowed-ap {sanitizedAP40MAC}
allowed-ap {sanitizedAP41MAC}
allowed-ap {sanitizedAP42MAC}
allowed-ap {sanitizedAP43MAC}
allowed-ap {sanitizedAP44MAC}
allowed-ap {sanitizedAP45MAC}
arm
wide-bands 5ghz
80mhz-support
min-tx-power 18
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
client-aware
scanning
syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless
extended-ssid
user Guest {sanitizedHash} portal
user {sanitizedHospitalityPropertyEntertainmentVenue} {sanitizedHash} portal
user {sanitizedHospitalityPropertyInitials}staff {sanitizedHash} radius
hash-mgmt-password
hash-mgmt-user admin password hash {sanitizedHash}
wlan access-rule TEST
index 0
rule any any match any any any permit
wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit
wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit
wlan access-rule {sanitizedHospitalityProperty}
index 3
rule any any match any any any permit
wlan access-rule "{sanitizedHospitalityPropertyBallroom}"
index 4
rule any any match any any any permit
wlan access-rule {sanitizedHospitalityPropertyInitials}staff
index 5
rule any any match any any any permit
wlan access-rule {sanitizedHospitalityPropertyEntertainmentVenue}
index 6
rule any any match any any any permit
wlan ssid-profile TEST
enable
index 0
type guest
essid TEST
wpa-passphrase {sanitizedHash}
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 172
rf-band all
captive-portal internal
hide-ssid
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
wlan ssid-profile NapaRiverInn
enable
index 1
type guest
essid {sanitizedHospitalityProperty}_Wifi
opmode opensystem
max-authentication-failures 0
vlan 172
auth-server InternalServer
rf-band all
captive-portal internal
dtim-period 1
inactivity-timeout 14400
broadcast-filter arp
radius-reauth-interval 2880
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
wlan ssid-profile "{sanitizedHospitalityPropertyBallroom}"
enable
index 2
type guest
essid "{sanitizedHospitalityPropertyBallroom}_Wifi"
opmode opensystem
max-authentication-failures 0
vlan 172
auth-server InternalServer
rf-band all
captive-portal internal
hide-ssid
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
wlan ssid-profile {sanitizedHospitalityPropertyInitials}staff
enable
index 3
type employee
essid {sanitizedHospitalityPropertyInitials}staff
opmode wpa2-aes
max-authentication-failures 10
vlan 100
auth-server InternalServer
rf-band all
captive-portal disable
l2-auth-failthrough
hide-ssid
dtim-period 1
broadcast-filter arp
enforce-dhcp
radius-reauth-interval 2880
blacklist
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
wlan ssid-profile {sanitizedHospitalityPropertyEntertainmentVenue}
enable
index 4
zone {sanitizedHospitalityPropertyEntertainmentVenue}
type guest
essid {sanitizedHospitalityPropertyEntertainmentVenue}
opmode opensystem
max-authentication-failures 0
vlan 172
auth-server InternalServer
rf-band all
captive-portal internal
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
auth-survivability cache-time-out 24
wlan captive-portal
background-color 6176415
banner-color 16777215
redirect-url "https://www.{sanitizedHospitalityProperty}.com/"
banner-text "{sanitizedHospitalityProperty} Guest Wifi"
terms-of-use "Please read terms and conditions before using Guest Network"
use-policy "=================="
authenticated
wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https
blacklist-time 3600
auth-failure-blacklist-time 3600
ids
wireless-containment none
infrastructure-detection-level low
wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x
wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x
enet0-port-profile default_wired_port_profile
uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180
airgroup
disable
airgroupservice airplay
disable
description AirPlay
airgroupservice airprint
disable
description AirPrint
firewall-external-enforcement pan
ip {sanitizedIPAddress}
user iap-admin {sanitizedHash}
disable
clarity
inline-sta-stats
inline-auth-stats
inline-dhcp-stats
inline-dns-stats
cluster-security
allow-low-assurance-devices
HM-2 {sanitizedHospitalityPropertyBallroom} Back#