Hi Colin,
I'm having a similar issue. I have EAP-TLS deployed for my 802.1x SSID, but the customer would like to allow a handfull of devices to authenticate via MAC address that are unable to complete EAP-TLS.
I created and applied both the MAC auth profile and MAC auth server group to my AAA profile. Added MAC address of client to internal DB. Enabled L2 auth fail through.
When I try to conenct with the client and fail EAP-TLS, it appears that MAC auth is not even attempted. I ran the 'show auth-tracebuf' command and it shows the client only attempts 802.1x I see server rejected from my RADIUS server and noting else... For trouble shooting, I removed the 802.1x auth profile and the 802.1x server group. 'show auth-tracebuf' displayed 'dot1x disabled' and MAC auth never completed.
Unfortunetly I don't have debugs, configs, or logs since this was done at a customer site. I will be returning to the customer and was hoping to have this squared away. I tested in my lab (using EAP-PEAP instead of TLS as my 802.1x auth) and expereienced the same results.
Any ideas?
Just for clarification I am not doing anything with User-Derivation rules.
Thanks in advance,
Scott