Security

I have a 25k high capacity guest for external users and a 5k for internal dot1x. When connecting to the public SSID via the 25k reference the endpoint repository on the 5k to see if the mac address exists on it and if so drop the access at the 25k.  I tried this with radius proxy but the device shows up as an endpoint in the 5k.  Also have to use a radius proxy service rule which is different than generic radius.  So I tried the generic SQL database using the appexternal and I can get connected but there is a problem with my query string.  This part is still new to me.  So basically I want to check the 5k endpoint DB and is the calling station mac address exist than return the role of drop the connection.  When I trip the service I get the error Failed to get value for attributes=[mac-check-db].

Thanks for the followup.  

SELECT mac FROM endpoints where mac = '%{Radius:IETF:Calling-Station-Id}';

This is the information from the Alerts tab now.

Failed to construct filter=SELECT mac FROM endpoints where mac = '%{Connection:Client-Mac-Address-Lower}';
.
Failed to get value for attributes=[mac-check-db]

Here is how I entered it.

SELECT mac FROM endpoints where mac = '%{Connection:Client-Mac-Address-Lower}';