If you check on the AAA profile (show advanced; then on the WLAN -> Profiles -> AAA), if you set the initial profile to denyall (you may need to create one that drops all traffic) and/or you disable L2 authentication fail through, your clients should unable to send any traffic (denyall) or are even rejected when they try to connect (L2 Auth Fail Thru):
I would do both... Note that in the screenshot the MAC Auth Default Role is also set to Denyall, which assumes that a role is assigned by the authentication server to override that denyall. If you use the internal database, I think there is always a role assigned and it does not matter to what value you set that default role.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Dec 05, 2022 01:57 AM
From: Atul Gadre
Subject: MAC Auth SSID ISSUE
Dear All,
on our controller 7210 we have one ssid profile which is mac based authentication profile, and the issue is this whenever user tried to connect this ssid with password it and the MAC is already registered on controller it gets an ip address but the internet is working,
but when the mac address is not registered on the controller still the end device gets an ip address and internet is not working which is fine,
my requirement is that end user should not get ip as well is the mac is not registered in the controller.
Anyone with the solution kindly hep us to resolved this issue.
Regards,