Wireless Access

I created a simple SSID with WPA2 PSK authentication. I would like to add mac authentication. I created a aaa authentication mac profile. I attached the profile to the aaa profile and choose the internal database as server group for mac authentication.

I added one mac address to the database with colon as separator. The strange thing is that still every mac address can authenticate. I did a user-debug on one client and I see that mac authentication is failing, but the client is still connected to the SSID and receives the initial user role. 

This is the output from the log.

Dec 14 09:01:20 :522005: <INFO> |authmgr| MAC=cc:08:e0:5e:2c:7b IP=192.168.129.3 User entry deleted: reason=essid change
Dec 14 09:01:20 :522050: <INFO> |authmgr| MAC=cc:08:e0:5e:2c:7b,IP=N/A User data downloaded to datapath, new Role=authenticated/54, bw Contract=0/0,reason=Station resetting role
Dec 14 09:01:20 :522042: <NOTI> |authmgr| User Authentication Failed: username=cc:08:e0:5e:2c:7b MAC=cc:08:e0:5e:2c:7b IP=0.0.0.0 auth method=MAC auth server=Internal
Dec 14 09:01:22 :522026: <INFO> |authmgr| MAC=cc:08:e0:5e:2c:7b IP=192.168.129.3 User miss: ingress=0x1200, VLAN=666
Dec 14 09:01:22 :522049: <INFO> |authmgr| MAC=cc:08:e0:5e:2c:7b,IP=0.0.0.0 User role updated, existing Role=WA-Test_role/none, new Role=WA-Test_role/WA-Test_role, reason=First IP user created
Dec 14 09:01:22 :522006: <INFO> |authmgr| MAC=cc:08:e0:5e:2c:7b IP=192.168.129.3 User entry added: reason=Sibtye
Dec 14 09:01:22 :522049: <INFO> |authmgr| MAC=cc:08:e0:5e:2c:7b,IP=192.168.129.3 User role updated, existing Role=WA-Test_role/WA-Test_role, new Role=WA-Test_role/WA-Test_role, reason=User not authenticated for inheriting attributes
Dec 14 09:01:22 :522050: <INFO> |authmgr| MAC=cc:08:e0:5e:2c:7b,IP=192.168.129.3 User data downloaded to datapath, new Role=WA-Test_role/59, bw Contract=16385/16385,reason=New user IP processing

I thought WPA2 PSK with MAC authentication is an AND statement, but it seems to behave as an OR statement. Is this correct, or do I really mis something?

Make sure that L2 Failthrough is not enabled on the AAA profile.

I already checked that option. The checkbox is NOT checked at the moment

Change the mac authentication profile to "N/A" and then publish the user log.

Could it be the option "Max Authentication failures 1" under the aaa authencation mac profile. This value was 0 and I just changed it to 1.

 That only says to Blacklist a user if he has failed X number of times.  Please make sure that you delete the user from the user table before you try to reconnect, otherwise mac authentication will not take place.

It seems to be the solution. When the MAC address isn't added in the database, the host is blacklisted. When I add the host and remove him from the blacklist, the host can authenticate to the SSID. I tried it with 5 different laptops and all give the same result.

Well,

The client should not be able to connect, period, even without blacklisting, if you have a AAA profile attached.  Make sure you clear that client from the user table before every time you try.

If that does not work, please open a TAC case.

I will do some more testing and else I will create a support call. Thanx for the quick responses.

You know what... I apologize.  I am mistaken.

If a device passes PSK it gets put into the initial role of the AAA profile.  If it ALSO passes mac auth, then it gets elevated to the mac authentication role.

If you want absolutely no device to get on, unless the mac authentication passes, you should make the initial role some type of "deny all".  Please try it.

Nice!!! It works!!