Security

I have a ssid-profile that has no MAC authentication configured, neigher perform before 1x nor fail-thru.  So I would not expect to see a user earn the Deny All role.

Yet I have one that has earnt that role.  And nothing I can seem to do will fix it.  Even if he connects to a different IAP.

I can see on the CPPM server that his auth request is not even coming through.  I have hundreds of other users at the site having no problem.  Just this one user.

This is how my config for the SSID looks.

wlan ssid-profile XXX
 enable
 index 1
 type employee
 essid XXX
 opmode wpa2-aes
 max-authentication-failures 0
 vlan 550
 auth-server XXXAuthServer
 rf-band all
 captive-portal disable
 dtim-period 1
 inactivity-timeout 14400
 broadcast-filter arp
 g-min-tx-rate 11
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 18
 max-clients-threshold 64
 okc

Anyone have any idea how the user got that role and how to fix it?

We will need the tech support from the IAP to determine what is happening.

Joseph,

I will open a TAC case for that.  Can't share that info in public forum because it is a production customer network.

I was posting more along the lines of finding out HOW a user can earn a Deny All.  I know that if you are using MAC auth you can get that if you fail it.  That is documented.

But there is nothing documented about how a user can earn that if we are not using MAC auth, as is our case.

I am suspecting it is something undocumented.  Perhaps the endpoints 802.1x supplicant is not running and because there is no 1x auth to fail it earns the Deny All.

It just seems so strange that it is not documented anywhere how a user can receive a Deny All role.

802.1x needs to pass before any traffic moves.  If that is not happening, we need to get to the bottom of that

Joseph,

I understand this.  But specifically I want to focus on HOW a user can earn a Deny All role!

We know that they can earn it if they fail a MAC auth.

How ELSE can they earn it?  I can't find any other documented reason that they can earn a Deny All role other than the failed MAC auth.

I am not using MAC auth, so that cannot be the reason the user has earnt the role.

What other UNDOCUMTNED reasons can a user earn a Deny All role?

If we have an SSID configured to use 802.1x auth ONLY, and a user does not have a working 802.1x supplicant, what happens to that user?  Will they earn a Deny All role?  If this is true, why is it not documented?

Do you understand where I am coming from?  Ignore my specific problem and focus upon the quesiton at hand.

"What scenarios can result in a user earning a Deny All role?"

I don't know, actually.

I don't find that being an acceptable answer. We might be having the same/similar problem and having the correct answer could help us out.

You are asking how many ways a system can be broken so that the deny all rule is applied.  I honestly don't know.  You can instead, ask "how can I configure something properly".  I can answer that question.