Contributor I

Mac-auth Wireless


I have the following setup that I need help with please

I have a (wired) mac-auth service running that does the following:

profiles end device such as an AP after the AP is profiled:

- A Radius reply with a HPE user-role is sent to the switch that has a matching local user role

- Within the user role I have specficed the tagged and untagged   vlans needed for the Wi-Fi traffic and AP

Works well


The Wi-Fi is done via Aruba central including vlan and roles for Wi-Fi user (Mac-Auth for Guests)

Works well



When I connect via the SSID through the 802.1x Mac-Auth port

the Wireless NIC of the end device also gets Mac authenticated 

and gets put into a user-role on the switch that prevents internet access


Is there away to only allow the wired NIC to get authenticated and not the end device Wireless NIC on that specific port on the switch where the AP is connected to?


thank you












Re: Mac-auth Wireless

Your wireless client will be assigned a role in ClearPass when it's authenticated. Lets call this role CPPM_WIRELESS_AUTH_ROLE.


In your wired 802.1X service enforcement tab, you could select the "Use cached Roles and Posture attributes from previous sessions" option which would allow you to use the CPPM_WIRELESS_AUTH_ROLE role to apply enforcement.


For example, you could have an enforcement condition in your wired 802.1X service enforcement policy like the following:



ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Search Airheads
Showing results for 
Search instead for 
Did you mean: