I've got a guest network that I connect my handset (Droid Bionic) to via MAC authentication. This has happened with other handsets, iPod Touches and iPads. I've even seen it happen with Windows machines (although these authenticate through the captive portal rather than MAC auth). Sometimes clients works great, sometimes not. When not, I'll see e.g. my Droid try to associate with the guest network, get to 'obtaining IP address'; then it fails and tries again. This will continue until I do the following:
I log into the controller (6000) and do a
(6000-2) #show user
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
10.167.224.208 98:4b:4a:53:d2:3a 98:4b:4a:53:d2:3a natickssc-open-guest-role 00:00:05 MAC 1.1.10 Associated NatickSSC-Guest/00:0b:86:ac:87:90/g natickssc-guest-aaa-profile
172.16.1.31 44:2a:60:a3:62:e7 44:2a:60:a3:62:e7 natickssc-open-guest-role 00:01:06 MAC 1.1.10 Associated NatickSSC-Guest/00:0b:86:ac:87:90/g natickssc-guest-aaa-profile
172.16.1.66 98:4b:4a:53:d2:3a 98:4b:4a:53:d2:3a natickssc-open-guest-role 00:00:06 MAC 1.1.10 Associated NatickSSC-Guest/00:0b:86:ac:87:90/g natickssc-guest-aaa-profile
172.16.1.124 18:e7:f4:19:31:aa 18:e7:f4:19:31:aa natickssc-open-guest-role 00:01:57 MAC 1.1.10 Associated NatickSSC-Guest/00:0b:86:ac:87:90/g natickssc-guest-aaa-profile
172.16.1.182 00:26:ba:43:28:d0 00:26:ba:43:28:d0 natickssc-open-guest-role 00:01:57 MAC 1.1.10 Associated NatickSSC-Guest/00:0b:86:ac:87:90/g natickssc-guest-aaa-profile
User Entries: 5/5
(6000-2) #
You can see there are two entries for 98:4b:4a:53:d2:3a. One has a valid address (172.16) where the other, while a valid private IP (10.167) is not an IP range we use.
If I do a
(6000-2) #aaa user delete mac 98:4b:4a:53:d2:3a
2 users deleted
(6000-2) #
Now my phone will connect correctly again. I'm not sure what's causing the second entry to show up. It may be occurring when my handset swaps from one AP to another.
Is there a way to make the user database allow only ONE entry per MAC? :confused: