I/G/C/B/A-Series f/w 6.61.08.0013 Firstarrival MacLocking can Fail with some Auth settings

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 14980 

Products
I-Series, firmware 6.42.09.0005 through 6.61.08.0013
G-Series, firmware 6.42.09.0005 through 6.61.08.0013
C5-Series; firmware 6.42.09.0005 through 6.61.08.0013, 6.71.01.0067 through 6.71.02.0008
C3-Series, firmware 6.42.09.0005 through 6.61.08.0013
B5-Series; firmware 6.42.09.0005 through 6.61.08.0013, 6.71.01.0067 through 6.71.02.0008
B3-Series, firmware 6.42.09.0005 through 6.61.08.0013
A4-Series; firmware 6.61.02.0007 through 6.61.08.0013, 6.71.01.0067 through 6.71.02.0008 

Changes
Set up one or more ports for MAC Locking of the first MAC seen ("maclock firstarrival 1"), EAPOL for assumed authentication ("eapol auth-mode forced-auth"), and single-user pass-or-fail authentication ("multiauth mode strict")(10283). 

For example: 
#eapol
set dot1x enable
set eapol enable
set eapol auth-mode forced-auth ge.1.1
!

#maclock
set maclock enable
set maclock firstarrival ge.1.1 1
set maclock enable ge.1.1
!

#multiauth
set multiauth mode strict
!
Symptoms
Maclocked clients never connect to the network.
While a client is trying to connect, error message "Maca system disabled" is syslogged ('show support'); for example:
<167>Feb 6 15:09:25 10.26.1.92-1 MACA[121516080]: maca_api.c(289) 539 %
Maca system disabled
Solution/Workaround
Upgrade to 6.61 firmware 6.61.09.0012 or higher. 
Release notes state, in the 'Changes and Enhancements in 6.61.09.0012' section:
18194    Corrected the inability to access the network from a port in "force-auth" state, with multiauth mode set to strict, and maclocking firstarrival set to 1.

Also fixed as of C5/B5/A4-Series firmware 6.71.03.0025 (though not stated in release notes).

Pre-upgrade workaround: Change multiauth from strict mode to multi mode (12499), or enable maclock static and set maclock firstarrival 2 or greater.
Photo of FAQ User

FAQ User, Official Rep

  • 13,620 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.