11-30-2016 08:48 AM
I have a Hidden SSID set up for only MAC Auth. It is set up so only a specific 30 clients can connect. The SSID is open, and these clients should connect and authenticate using Internal DB.
Currently this setup is working great, but for some reason certain clients won't authenticate. They will connect to the SSID and get an initial role, and then nothing. I've tried deleting them and re-adding them from the internal DB. I've tried disconnecting and recoonecting them, and even deleting them from the controller. Every time they connect they end up stuck in the initial role. Meanwhile 24 or so of these client authenticate without any issue.
All the clients are connection to 1 of 2 aps, same group, same controller, same aaa profile, same everything.
11-30-2016 09:20 AM
Enable user debugging for the clients that have issues: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=21076
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
11-30-2016 09:44 AM
Attached log of user specific debug.
This line leads me to believe the authentication is simply failing
Nov 30 12:32:26 :522190: <DBUG> |authmgr| MAC=74:72:f2:36:ec:48 IP=0.0.0.0: MAC auth fail: entry-type=L2, bssid=18:64:72:36:d1:f5.
However, still not sure why.
11-30-2016 09:48 AM
Are all usernames and passwords in the internal DB setup in the same format (case and delimeter)? For example, lowercase with colons, etc.? Check your MAC Authentication profile for the format it is expecting and make sure the account in the internal DB is setup right.
Also, what role do you have setup for the failing accounts in the internal DB? This may be overwriting the MAC Authentication default role.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
11-30-2016 09:56 AM
MAC profile is expecting lower case and colon.
Username and Password set to 74:72:f2:36:ec:48
User role in local database and defaul MAC Authenticated defaul role are set to the same role, so if either one is taking preference, it should be a success.
Only Initial role is ever given to use.