Wireless Access

I am seeing a strange behaviour with a AP in bridge mode connected to a switch in trunk mode.

I have a SSID with dot1x authentication and when a clients connects to this SSID with the wrong cert (it fails authentication) i see his mac appearing on the switch Mac table on the native vlan of the switch-AP trunk.

I am going to capture the traffic to see what it is sent but would like to know if this is a expected (in my view, strange) behaviour.

802.1x authentications take place over the native VLAN. Once authenticated, devices are then placed into their required VLANs and then obtain an IP address. This is expected behaviour.

Sorry for not the late info but the AP is not in IAP but in "Campus mode" so i think the 802.1x is made from the controller (i guess is sent inside the GRE from the AP to the controller).

The beahviour is strange because i am seing the mac in my campus switch even if the client fails the auth.

And i can see a scenario in that a rogue client (with a invalid cert) with a simple script doing mac spoofing and then trying to connect n times to the SSID could teoreticaly  fill the mac table of the switch...

If you are using bridge mode then I guess the MAC will be seen at the switchport that the AP is connected to. It should only exit from the controller if you are using tunnel mode.

A mac from a client that fails autentication will be bridged in the native vlan of the trunk ? I find it hard to see why this should be happening, i "think" that if it fails authentication then no frame should be bridged between the wireless and the wired world.

Going to have to do the capture and see what is inside the frame.

After doing a capture , what i see is a gratuitos ARP in the native vlan with the mac of the client, so i guess the AP is bridging this type of packets even for a client that fails authentication.