Hi everyone,
this is likely a small checkmark or similar setting that i have overlooked, but i need a sanity check :D
I am trying to get the wired ports of a AP605H working properly. Currently, 802.1x authentication works, but not all devices we want to connect support 802.1x, so we need MAC Authentication as well.
So, i have created a AAA profile:
show aaa profile RAP-Wired-Port
AAA Profile "RAP-Wired-Port"
----------------------------
Parameter Value
--------- -----
Initial role logon
MAC Authentication Profile <redacted>-dash-lower
MAC Authentication Default Role authenticated
MAC Authentication Server Group Clearpass
802.1X Authentication Profile <redacted>
802.1X Authentication Default Role authenticated
802.1X Authentication Server Group Clearpass-Servers
Download Role from CPPM Disabled
Set username from dhcp option 12 Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group Clearpass
RADIUS Roaming Accounting Disabled
RADIUS Interim Accounting Disabled
RADIUS Acct-Session-Id In Access-Request Disabled
Station-based RADIUS Accounting Session for Wireless Disabled
XML API server N/A
RFC 3576 server <Clearpass IP>
RFC 3576 server <Secondary Clearpass IP>
User derivation rules N/A
Wired to Wireless Roaming Enabled
Reauthenticate wired user on VLAN change Disabled
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled
Apply ageout mechanism on bridge mode wireless clients Disabled
Diffie-Hellman Groups Supported for EnhancedOpen 19
Denylist client when Security-Context-Override attack Disabled
Include Location-Object In Access-Request Disabled
Include Location-Object In Accounting-Request Disabled
I am re-using working Dot1x and MAC Authentication profiles.
Dot1x authentication on the wired ports works.
Both MAC and Dot1x Authentication (on different SSIDs) work on the RAP.
MAC Authentication on the wired ports does not work.
I see the requests hitting clearpass. Clearpass answers properly and sends the VLAN information.
The VLAN was tripplechecked, it exists everywhere.
The Client does not appear in the client list of the controller.
In the logs of the controller, i see this for the MAC Adress of the client:
Apr 22 13:54:27 2025 authmgr[5361]: <522310> <5361> <ERRS> |authmgr| auth_send_supplicant_up_to_dot1x mkeys not set for user mac aa:bb:cc:dd:ee:ff
Apr 22 13:54:27 2025 dot1x-proc:1[5840]: <522310> <5840> <ERRS> |dot1x-proc:1| new_dot1x_user_from_auth_msg mkeys not set for client mac aa:bb:cc:dd:ee:ff
This repeats everytime the link changes and coincidizes with the successfull authentication messages on clearpass.
I am a bit stumped to be honest.
Can someone point me in the proper direction where to look next to troubleshoot this issue?