I/G/C/B/A-Series f/w Firstarrival MacLocking can Fail with some Auth settings

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 14980 

I-Series, firmware through
G-Series, firmware through
C5-Series; firmware through, through
C3-Series, firmware through
B5-Series; firmware through, through
B3-Series, firmware through
A4-Series; firmware through, through 

Set up one or more ports for MAC Locking of the first MAC seen ("maclock firstarrival 1"), EAPOL for assumed authentication ("eapol auth-mode forced-auth"), and single-user pass-or-fail authentication ("multiauth mode strict")(10283). 

For example: 
set dot1x enable
set eapol enable
set eapol auth-mode forced-auth ge.1.1

set maclock enable
set maclock firstarrival ge.1.1 1
set maclock enable ge.1.1

set multiauth mode strict
Maclocked clients never connect to the network.
While a client is trying to connect, error message "Maca system disabled" is syslogged ('show support'); for example:
<167>Feb 6 15:09:25 MACA[121516080]: maca_api.c(289) 539 %
Maca system disabled
Upgrade to 6.61 firmware or higher. 
Release notes state, in the 'Changes and Enhancements in' section:
18194    Corrected the inability to access the network from a port in "force-auth" state, with multiauth mode set to strict, and maclocking firstarrival set to 1.

Also fixed as of C5/B5/A4-Series firmware (though not stated in release notes).

Pre-upgrade workaround: Change multiauth from strict mode to multi mode (12499), or enable maclock static and set maclock firstarrival 2 or greater.
Photo of FAQ User

FAQ User, Official Rep

  • 13,620 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.