At a client running a Trapeze/Juniper network with some MX-8 controllers, a bunch of MP-371B and an instance of Ringmaster software to control and configure it all, we were working on implementing MAC-address based authentication for one of their ESSIDs. After correctly setting up the necessary policies, and AAA servers, we noticed that any client could still connect to our network, despite all settings being correct.
Baffled at this, we started to look around, trying to figure out what went wrong. My collegue finally remembered the true cause for our problem, a setting in the Wireless Service Profile.
There, the Fall Through Access was set to last resort, which basically tells the network to accept the client if all other authentication methods fail. Setting this to none quickly resolved our problem, and authentication was succesfully applied to the network.
It's definitely a thing to remember for next time.