思科WLC上可以通过两种方式完成MAC Filter认证。

• Local MAC authentication
• MAC authentication using a RADIUS server

某些情况下，可能会遇到两种类型并存的情况，是先选择Local DB还是先选择RADIUS Server ？

For ISE NAC WLANs, the MAC authentication request is always sent to the external RADIUS server. The MAC authentication is not validated against the local database. This functionality is applicable to Releases 8.5, 8.7, 8.8, and later releases via the fix for CSCvh85830.

Previously, if MAC filtering was configured, the controller tried to authenticate the wireless clients using the local MAC filter. RADIUS servers were attempted only if the wireless clients were not found in the local MAC filter.

综上所说：

在 8.5 以上的版本中，WLC 将优先使用外部 Radius 服务器，而之前的版本将优先使用本地数据库。以前，如果配置了 MAC 过滤，控制器会尝试使用本地 MAC 过滤器对无线客户端进行身份验证。 仅当在本地 MAC 过滤器中找不到无线客户端时才尝试使用 RADIUS 服务器。

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/wlan_security.html#local-mac-filters

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/wlan_security.html#local-mac-filters

BUG详情：

Cisco controller blocks client MAC authentication for wrong WLAN profile CSCvh85830 Description Symptom:
WLC is observed to block client MAC Authentication for wrong WLAN Profiles.

For example:
1) Add client MAC to WLC MAC Filtering list with specified WLAN Profile of SSID A
2) Connect client to SSID B with MAC Filtering and ISE NAC enabled (CWA)
3) Observe client association get rejected due to status 1

Expectation is that client MAB should be forwarded to ISE, as the MAC-Filter entry on the WLC is specified for SSID A and not SSID B

Conditions:
Observed on WLC running 8.3.130.0 with FlexConnect Locally-Switched SSID

Workaround:
Do not use mac entry on local file db on wlc for ISE-NAC config enabled WLANs.

Further Problem Description:
n/a