I-Series, firmware 6.42.09.0005 through 6.61.08.0013
G-Series, firmware 6.42.09.0005 through 6.61.08.0013
C5-Series; firmware 6.42.09.0005 through 6.61.08.0013, 6.71.01.0067 through 6.71.02.0008
C3-Series, firmware 6.42.09.0005 through 6.61.08.0013
B5-Series; firmware 6.42.09.0005 through 6.61.08.0013, 6.71.01.0067 through 6.71.02.0008
B3-Series, firmware 6.42.09.0005 through 6.61.08.0013
A4-Series; firmware 6.61.02.0007 through 6.61.08.0013, 6.71.01.0067 through 6.71.02.0008
Set up one or more ports for MAC Locking of the first MAC seen ("maclock firstarrival 1"), EAPOL for assumed authentication ("eapol auth-mode forced-auth"), and single-user pass-or-fail authentication ("multiauth mode strict")(10283).
set dot1x enable
set eapol enable
set eapol auth-mode forced-auth ge.1.1
set maclock enable
set maclock firstarrival ge.1.1 1
set maclock enable ge.1.1
set multiauth mode strict
Maclocked clients never connect to the network.
While a client is trying to connect, error message "Maca system disabled" is syslogged ('show support'); for example:
<167>Feb 6 15:09:25 10.26.1.92-1 MACA: maca_api.c(289) 539 %
Maca system disabled[/code]Solution/Workaround
Upgrade to 6.61 firmware 6.61.09.0012 or higher.
Release notes state, in the 'Changes and Enhancements in 6.61.09.0012' section:
Corrected the inability to access the network from a port in "force-auth" state, with multiauth mode set to strict, and maclocking firstarrival set to 1.
Also fixed as of C5/B5/A4-Series firmware 6.71.03.0025 (though not stated in release notes).
Pre-upgrade workaround: Change multiauth from strict mode to multi mode (12499), or enable maclock static and set maclock firstarrival 2 or greater.