Hi, from the description there could be a lot of reasons why you are seeing failing MAC Auth. You can narrow down the reason if you work out if some wifi users are auth'd and not others. On our 5130 we set a max, which protects against problems we've seen during user-induced-loops. However with nothing set the max should be very high. Setting a max of 2000 for a test would rule that out but I can't imagine it being an issue. On old procurve the default was a low number but not 5130.
Using dis mac-authentication int g1/0/1 gives good clues. In particular the authentication attempts. A high failed figure suggests an auth server problem but also suggests an attempt to auth has happened. An example output below from a happy edge port with no max set.
Double check traffic is sent to the port untagged.
GigabitEthernet1/0/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : mac_domain
Auth-delay timer : Disabled
Periodic reauth : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : 3721
Guest VLAN reauthentication : Enabled
Guest VLAN auth-period : 30 s
Critical VLAN : 3721
Critical voice VLAN : Disabled
Host mode : Single VLAN
Offline detection : Disabled
Authentication order : Default
User aging : Enabled
Server-recovery online-user-sync : Disabled
Auto-tag feature : Disabled
VLAN tag configuration ignoring : Disabled
Max online users : 4294967295
Authentication attempts : successful 3754, failed 0
Current online users : 1
MAC address Auth state
c442-680a-cf3a Authenticated
Original Message:
Sent: Aug 31, 2022 05:55 AM
From: jrwhitehead
Subject: MAC auth on AP port blocking clients
Hi All,
Switch 5130 (R3208P12)
I've got MAC auth and 802.1X configured on my Comware switch with ClearPass being the Auth server. We have Aruba IAP with authentication configured on the switchports they're patched into.
The issue is I'm seeing Wi-Fi clients connected to the APs failing MAC auth. We have no client limit set in the MAC auth config.
Is this the expected behavior? Do I need to explicitly set a client limit?
Cheers