Hello,
We have some wireless printers that authenticate via MAC address but are not receiving the proper roles which I believe is causing them to constantly re-authenticate. They have been added to the local-userdb and even if I attempt to manually add them with the proper role to the user-table, they still show as having a different role.
Here is an example:
7.18.3.40 00:02:78:21:ff:1b 00:02:78:21:FF:1B NASCA_Scanner 00:18:35 MAC US-MWN01-WAP007 Wireless gv-wlan-01/00:0b:86:0b:b0:a0/g gv-wlan-01-AAA
7.18.3.47 00:02:78:21:ff:11 00:02:78:21:FF:11 NASCA_Scanner 21:00:02 MAC US-MWN01-WAP018 Wireless gv-wlan-01/00:0b:86:0b:9d:60/g gv-wlan-01-AAA
7.18.3.67 00:1b:78:f7:2e:5a NASCA_Scanner_Logon 00:00:04 US-MWN01-WAP014 Wireless gv-wlan-01/00:0b:86:0b:a6:e0/g gv-wlan-01-AAA
7.18.3.65 00:1b:78:f7:2e:7f NASCA_Scanner_Logon 00:00:03 US-MWN01-WAP018 Wireless gv-wlan-01/00:0b:86:0b:9d:60/g gv-wlan-01-AAA
The first two devices have the proper role designation which is NASCA_Scanner. The last two are not assigned the correct role which is the NASCA_Scanner_Logon. Initially the devices land in the NASCA_Scanner_Logon role but should change to NASCA_Scanner after authentication. All the other devices function correctly but there are about 5-6 that will not change the role association. Nothing has changed from a configuration perspective aside from adding the devices to the local-userdb.
Here is the AAA profile designated:
aaa profile "gv-wlan-01-AAA"
initial-role "NASCA_Scanner_Logon"
authentication-mac "gv-wlan-01-MAC"
mac-default-role "NASCA_Scanner_Logon"
mac-server-group "internal"
authentication-dot1x "gv-wlan-01-PSK"
Here is the user-role for NASCA_Scanner_Logon:
user-role NASCA_Scanner_Logon
vlan 39
session-acl gv-dhcp-acl
Here is the user-role for NASCA_Scanner:
user-role NASCA_Scanner
vlan 39
session-acl gv-dhcp-acl
session-acl gv-dns-acl
session-acl icmp-acl
session-acl gv-citrix-NASCA-acl
session-acl gv-citrix-NASCA-Farm-acl
session-acl NASCA-Cirtix-Website
session-acl gv-NASCA-Printing
session-acl TEST-NASCA-LAPTOP
session-acl allowall
Thank you!
Jason