@kdisc98 wrote:
Did u changed something under AAA-Advanced?
Please re-configure it to the defualt settings:
http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-show-aaa-timers/td-p/900
http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/aaa-timers/td-p/7417
in Aruba OS UG 6.1, page 323.
There is a command in the AAA-profile called l2-auth-fail-through;
"Use l2-auth-fail-through command to perform mixed authentication which includes both MAC and 802.1x authentication. When MAC authentication fails, enable the l2-auth-fail-through command to perform 802.1x authentication."
Also - why is your 802.1x role is set to denyall? :smileysurprised:
more reading here: (might be helpful)
http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Mac-Authentication-Problem/td-p/136911
my AAA numbers match exactly what you have in the screenshot
In regards to setting up l2-auth-fail-through, I do not want users to be able to authenticate 802.1x if mac authentication fails. A client machine needs to pass BOTH tests in order to get DHCP. Either way, I don't believe that option is available in ArubaOS 5.0
"Also - why is your 802.1x role is set to denyall?"
I had it set to logon yesterday when nothing was working so I tried setting it to denyall to see if that changed anything, but the same symtpoms remain
I came across someone mentioning they had DHCP problems when the initial role was set to denyall. To test this, I took off the mac authentication profile, left the intial role as denyall and set the 802.1x role to logon. With this config, I get the same DHCP issue. If I set the intial role to logon, everything works as expected.
If I want to implement the MAC authentication list, then leaving the intial role as logon does not work. It will let clients through after only passing 802.1x authentication.