ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 18
Registered: ‎07-31-2009

Client authenticating but not showing in user table

Hi all,

I have a wireless client device that is authenticating correctly through dot1x but is not showing in the user table and is therefore not being assigned a role.

The username of the particular device is "WirelessTerminal". I have included the output of some relevant commands below. Any ideas why this isn't getting into the user table?

-----------------------------------------------------------------------------------------------------------
(aruba-master) #show dot1x supplicant-info l

802.1x User Information
-----------------------
MAC Name Auth AP-MAC Enc-Key/Type Auth-Mode EAP-Type Remote
------------ -------- ---- ------ ------------------- ----------- --------- ------
00:18:de:1e:6e:9f Acme\dunne_n Yes 00:1a:1e:fb:23:41 * * * * * * * */WPA2-AES Explict Mode EAP-PEAP No
00:24:01:12:cb:9b Acme\WirelessTerminal Yes 00:1a:1e:fd:44:82 * * * * * * * */WPA2-AES Explict Mode EAP-PEAP No
00:90:96:b3:9d:6d No 00:1a:1e:fd:4a:e0 * * * * * * * */- Explict Mode - No
00:23:12:57:0f:03 No 00:1a:1e:fb:23:40 * * * * * * * */- Explict Mode - No
00:22:fb:74:50:ec No 00:1a:1e:fd:4a:e0 * * * * * * * */- Explict Mode - No


(aruba-master) #show auth

Warning: user-debug is enabled on one or more specific MAC addresses;
only those MAC addresses appear in the trace buffer.

Auth Trace Buffer
-----------------

Oct 30 10:57:58 station-down * 00:24:01:12:cb:9b 00:1a:1e:fb:23:42 - -
Oct 30 10:57:58 station-up * 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - - wpa2 aes
Oct 30 10:57:58 station-data-ready * 00:24:01:12:cb:9b 00:00:00:00:00:00 1 -
Oct 30 10:57:58 wpa2-key1 <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - 117
Oct 30 10:57:59 wpa2-key1 <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - 117
Oct 30 10:58:00 wpa2-key1 <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - 117
Oct 30 10:58:01 eap-start -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - -
Oct 30 10:58:01 eap-id-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 2 5
Oct 30 10:58:01 eap-id-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 2 25 Acme\WirelessTerminal
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 49 188
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 49 77
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 3 6
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 3 108
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 50 296
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 50 1175
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 4 1096
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 4 6
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 51 194
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 51 1175
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 5 1096
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 5 6
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 52 194
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 52 1175
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 6 1096
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 6 6
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 53 194
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 53 887
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 7 810
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 7 200
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 54 388
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 54 124
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 8 53
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 8 6
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 55 194
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 55 99
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 9 28
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 9 48
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 56 236
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 56 128
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 10 57
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 10 102
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 57 290
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 57 145
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 11 74
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 11 29
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 58 217
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 58 109
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 12 38
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 12 38
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 59 226
Oct 30 10:58:01 rad-accept <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 59 264
Oct 30 10:58:01 eap-success <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 13 4
Oct 30 10:58:01 station-data-ready * 00:24:01:12:cb:9b 00:00:00:00:00:00 1 -
Oct 30 10:58:01 wpa2-key1 <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - 117
Oct 30 10:58:01 wpa2-key2 -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - 117
Oct 30 10:58:01 wpa2-key3 <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - 151
Oct 30 10:58:01 wpa2-key4 -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - 95

(aruba-master) # show user

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
10.200.200.49 00:18:de:1e:6e:9f Acme\dunne_n authenticated 00:01:25 802.1x IT Room Associated Corporate-802.11g/00:1a:1e:fb:23:41/g Acme-Corporate
192.168.1.188 00:23:12:57:0f:03 martin guest 00:00:50 Web IT Room Associated Visitor/00:1a:1e:fb:23:40/g Acme-Visitor
192.168.1.189 00:23:12:57:0f:03 martin guest 00:00:22 Web IT Room Associated Visitor/00:1a:1e:fb:23:40/g Acme-Visitor
192.168.1.35 00:90:96:b3:9d:6d guest-logon 00:01:11 Elm-Room Associated Visitor/00:1a:1e:fd:4a:e0/g Acme-Visitor
192.168.1.4 00:22:fb:74:50:ec guest-logon 00:01:07 Elm-Room Associated Visitor/00:1a:1e:fd:4a:e0/g Acme-Visitor

User Entries: 5/5
Guru Elite
Posts: 19,991
Registered: ‎03-29-2007

Show Station-Table


Hi all,

I have a wireless client device that is authenticating correctly through dot1x but is not showing in the user table and is therefore not being assigned a role.

The username of the particular device is "WirelessTerminal". I have included the output of some relevant commands below. Any ideas why this isn't getting into the user table?

-----------------------------------------------------------------------------------------------------------
(aruba-master) #show dot1x supplicant-info l

802.1x User Information
-----------------------
MAC Name Auth AP-MAC Enc-Key/Type Auth-Mode EAP-Type Remote
------------ -------- ---- ------ ------------------- ----------- --------- ------
00:18:de:1e:6e:9f Acme\dunne_n Yes 00:1a:1e:fb:23:41 * * * * * * * */WPA2-AES Explict Mode EAP-PEAP No
00:24:01:12:cb:9b Acme\WirelessTerminal Yes 00:1a:1e:fd:44:82 * * * * * * * */WPA2-AES Explict Mode EAP-PEAP No
00:90:96:b3:9d:6d No 00:1a:1e:fd:4a:e0 * * * * * * * */- Explict Mode - No
00:23:12:57:0f:03 No 00:1a:1e:fb:23:40 * * * * * * * */- Explict Mode - No
00:22:fb:74:50:ec No 00:1a:1e:fd:4a:e0 * * * * * * * */- Explict Mode - No


(aruba-master) #show auth

Warning: user-debug is enabled on one or more specific MAC addresses;
only those MAC addresses appear in the trace buffer.

Auth Trace Buffer
-----------------

Oct 30 10:57:58 station-down * 00:24:01:12:cb:9b 00:1a:1e:fb:23:42 - -
Oct 30 10:57:58 station-up * 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - - wpa2 aes
Oct 30 10:57:58 station-data-ready * 00:24:01:12:cb:9b 00:00:00:00:00:00 1 -
Oct 30 10:57:58 wpa2-key1 <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - 117
Oct 30 10:57:59 wpa2-key1 <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - 117
Oct 30 10:58:00 wpa2-key1 <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - 117
Oct 30 10:58:01 eap-start -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - -
Oct 30 10:58:01 eap-id-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 2 5
Oct 30 10:58:01 eap-id-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 2 25 Acme\WirelessTerminal
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 49 188
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 49 77
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 3 6
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 3 108
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 50 296
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 50 1175
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 4 1096
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 4 6
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 51 194
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 51 1175
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 5 1096
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 5 6
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 52 194
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 52 1175
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 6 1096
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 6 6
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 53 194
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 53 887
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 7 810
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 7 200
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 54 388
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 54 124
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 8 53
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 8 6
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 55 194
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 55 99
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 9 28
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 9 48
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 56 236
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 56 128
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 10 57
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 10 102
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 57 290
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 57 145
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 11 74
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 11 29
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 58 217
Oct 30 10:58:01 rad-resp <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 58 109
Oct 30 10:58:01 eap-req <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 12 38
Oct 30 10:58:01 eap-resp -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 12 38
Oct 30 10:58:01 rad-req -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 59 226
Oct 30 10:58:01 rad-accept <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82/10.200.10.134 59 264
Oct 30 10:58:01 eap-success <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 13 4
Oct 30 10:58:01 station-data-ready * 00:24:01:12:cb:9b 00:00:00:00:00:00 1 -
Oct 30 10:58:01 wpa2-key1 <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - 117
Oct 30 10:58:01 wpa2-key2 -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - 117
Oct 30 10:58:01 wpa2-key3 <- 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - 151
Oct 30 10:58:01 wpa2-key4 -> 00:24:01:12:cb:9b 00:1a:1e:fd:44:82 - 95

(aruba-master) # show user

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
10.200.200.49 00:18:de:1e:6e:9f Acme\dunne_n authenticated 00:01:25 802.1x IT Room Associated Corporate-802.11g/00:1a:1e:fb:23:41/g Acme-Corporate
192.168.1.188 00:23:12:57:0f:03 martin guest 00:00:50 Web IT Room Associated Visitor/00:1a:1e:fb:23:40/g Acme-Visitor
192.168.1.189 00:23:12:57:0f:03 martin guest 00:00:22 Web IT Room Associated Visitor/00:1a:1e:fb:23:40/g Acme-Visitor
192.168.1.35 00:90:96:b3:9d:6d guest-logon 00:01:11 Elm-Room Associated Visitor/00:1a:1e:fd:4a:e0/g Acme-Visitor
192.168.1.4 00:22:fb:74:50:ec guest-logon 00:01:07 Elm-Room Associated Visitor/00:1a:1e:fd:4a:e0/g Acme-Visitor

User Entries: 5/5




Make sure that client is configured for DHCP, or give him an IP address statically and see if that fixes it. Even though a user passes dot1x authentication, he will not be placed in the user table without an IP address. Also, enable debugging for that client and show the log output for him "show log user x". Also do a "show station table" to see what role the client is getting. His role might be blocking DHCP and that will keep him from getting an IP address and from entering the user table.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: