How initial roles work, and the L2-fallthrough for different types of authentication may be confusing the first time. That's also why it's covered in the official trainings. Easiest would be to work with your partner or Aruba Support, as when you try to make it work but don't exactly understand how it works you may end up with an insecure configuration. It looks like the mac address is not authenticated at all, and that would be the first thing to find out. It can be the format of the mac address (delimiter) or that the password is not the same is the username, or that the internal database is not even queried.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: May 25, 2023 09:11 AM
From: mshamseddine@connectit.ae
Subject: MAC authentication not working properly - 9240 Gateway version 8.10.06
Hello Team,
I'm running into an issue with mac authentication enabled ssid. We have aruba 9240 gateway running 8.10.0.6 software.
All client's mac addresses are added to the local db and should be assigned guest role after authentication, and deny all before. This scenario is working properly for some users where they are being able to connect, but not the case for other users, the client is not being able to connect although his mac address is added to the db. from gui dashboard, the client is always stuck on the denyall role, i tried blacklisting the user then whitelisting him again, also tried to remove his mac then readding it, lastly i reconfigured the aaa profile for this ssid and in the initial role i changed from denyall to authenticated role just for test, but still when the client connects the controller is assigning him a denyall role as if this is cached somewhere. Any advice on this ? and it is happening to several devices not just one ...