I am reading the page on interface/wireless, specifically the section on
Radius MAC authentication
RADIUS MAC authentication
Note: RADIUS MAC authentication is used by access point for clients that are not found in the access-list, similarly to the default-authentication property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately.
When radius-mac-authentication=yes, access point queries RADIUS server by sending Access-Request with the following attributes:
User-Name - Client MAC address. This is encoded as specified by the radius-mac-format setting. Default encoding is "XX:XX:XX:XX:XX:XX".
Nas-Port-Id - name of wireless interface.
User-Password - When radius-mac-mode=as-username-and-password this is set to the same value as User-Name. Otherwise this attribute is empty.
Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".
Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).
Acct-Session-Id - Added when radius-mac-accounting=yes.
If I understand that correctly - unfortunately I no longer have an old-style wifi device to test - whatever is not matched by the ACL goes to MAC auth: so if accepted -> no MAC auth, if rejected -> no MAC auth.
Provided you have
radius-mac-authentication=yes set, something like this should then be used:
/interface wireless access-list
add authentication=no forwarding=no signal-range=-120..-66
That will drop whatever is out of signal and the rest will have to go through radius.