No it will just allow the interface to be overwritten. In this case, the WLC is acting as the AAA server and doing mac auth.

I'm really sorry Jay, not quite following this bit. I've just looked up what AAA Override actually is (noobs!). So the current setup has three areas that define an interface 1. "students" interface group, 2. the AP group that uses the "student-main" interface and finally 3. the MAC security list. Does the AAA override just mean it will look at the most specific config (in this case the MAC list?). And is this essentially what the 'AAA Servers' tab is doing when you choose an external authentication server?

Once again thank you!

AAA is authentication, accounting, and authorization. When doing local mac auth the WLC is acting as a AAA server doing all three of these functions. AAA override is saying that based on the authorization the AAA server is allowed to override the current config set to the client. Let's say you were not using the local mac database but instead you were using ISE. If ISE sends back an AVP saying to use VLAN x, but you do not have AAA override enabled, the WLC will not accept this change.

If you look at the debug you took you will see the interface is normally applied to the client between the association request and the association response. You will first see it apply the interface on the WLAN then "Applying site-specific" interface which is the AP group. These two actions can only be based on config as the authentication has not happened yet. Then, still before the assoc response, you should see something close to "USE LOCALDB THEN RADIUS security policy for MAC-Auth Request". Next you see the mac is "authenticated". You should then see an authorization response and something like "Override values for station". This is where the interface you have applied to the client in the local database would be applied. You will even see the interface name as an override value. Since you don't have AAA override enabled you will now see "Unable to apply override policy for station <client mac> - VapAllowRadiusOverride is FALSE".

 

All of this is because the WLC is acting as the AAA server and it is telling itself to change the VLAN based on the mac database entry. Since you do not have AAA override enable the WLC is not accepting this change to the interface. Since we are not accepting the change to the interface we stay at the last applied interface which is the interface on the AP group. So, if you want to override this interface applied to the client with the one you have on the local mac database, you have to enable AAA override.

 

Sorry for the long-winded response but it seemed to me that you wanted a deeper dive into why this config was needed.

Fantastic Jay, "but you do not have AAA override enabled, the WLC will not accept this change" is where the penny dropped on this one. At last you can get your life back!

My understanding has really come on with your help, thank you so much, superb!