ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 6
Registered: ‎09-15-2009

user log report @ip username

Hello,

We are using airos version 3.4.1.1 on a 2400 controler,
with the captive portal (with external ldap server) for authentication.
We cannot find association @ip username for a particular @ip
in our log file.

It works fine for many user for example
Oct 1 12:47:22 192.168.100.1 2009 authmgr: <522008> |authmgr| User authenticated: Name=toto001 MAC=00:23:6c:xx:xx:xx IP=xx.xx.xx.178 method=Web server=ldap2 role=etudiant_BX3


But for our case looking for who was authenticate with an @ip
there is nothing that helps. The only thing we could find is :

Oct 1 11:35:46 192.168.100.1 2009 authmgr: <522026> |authmgr| MAC=00:21:00:xx:xx:xx IP=x.x.3.145 User miss: ingress=0x1070, VLAN=35
Oct 1 11:35:46 192.168.100.1 2009 authmgr: <522006> |authmgr| MAC=00:21:00:xx:xx:xx IP=x.x.3.145 User entry added: reason=Sibtye
Oct 1 12:43:09 192.168.100.1 2009 authmgr: <522005> |authmgr| MAC=00:21:00:xx:xx:xx IP=x.x.3.145 User entry deleted: reason=idle timeout

Oct 1 11:36:30 192.168.100.1 2009 authmgr: <124006> |authmgr| {56540802} TCP srcip=x.x.3.145 srcport=49923 dstip=x.85.227.99 dstport=80, action=permit, role=etudiant_BX3, policy=internet_BX3

Oct 1 11:36:30 192.168.100.1 2009 authmgr: <124006> |authmgr| {56540804} TCP srcip=x.x.3.145 srcport=49925 dstip=x.125.77.138 dstport=80, action=permit, role=etudiant_BX3, policy=internet_BX3

What is the meaning of "User miss: ingress" or "User entry added: reason=Sibtye"?

Thanks a lot

acout
Guru Elite
Posts: 21,512
Registered: ‎03-29-2007

User Miss

'User miss" means that no device with that matching ip address and mac address appears in the user table, so we have to add it new, which explains the following line "User entry added". That does not mean that the user "authenticated", it just mean that a new device is present and has been inserted in the user table.

If you do the following:
config t
logging level notifications user process authmgr
exit
write mem


You should then be able to see authenticated users by doing a "show log user (x)" and seeing the authentications and log message 522008

# show log user 50
Jan 30 10:41:27 :522008: |authmgr| User authenticated: Name=office\cjoseph MAC=00:31:6a:6d:be:66 IP=10.99.33.253 method=802.1x server=office-supersvr role=office-staff
Jan 30 10:43:21 :522008: |authmgr| User authenticated: Name=office-guest MAC=00:31:6a:6d:be:66 IP=10.99.34.248 method=Web server=Internal role=office-guest-role

The first line is a dot1x authentication. The second line is a Captive Portal Authentication


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎09-15-2009

user log report @ip username reason Sibtye

hello,
What is the meaning of "User entry added: reason=Sibtye"
we have a big problem occured 1 october with a particular @mac address and we canot find what user was authenticated (the captive portal is connected to our ldap server ) with this mac address
There is nothing in the aruba logs (we send aruba's logs to a syslog server)
Is there a documentation with all the log message.

we already configured
logging level informational user
logging level informational user subcat all
logging level informational user subcat captive-portal
logging level informational user subcat dot1x
logging level informational user subcat radius
logging level informational user subcat vpn
logging level informational wireless
logging level informational wireless subcat all

and
logging level notifications user process authmgr

Is there a way somebody goes through captive portal without any logging information?

thank's lot
Guru Elite
Posts: 21,512
Registered: ‎03-29-2007

User

The sibyte is a chip fabric in the controller. I'm not sure that log entry has any meaningful input besides to say that the user is associated and was added to the user table. If there is NOT a log for authentication, it probably means that the user was just associated to the captive portal and did not authenticate. You could get this for hundreds of users that pass by with a smartphone that automatically associates to your wireless network.

If you have an problem, please open a support ticket so that they can go through your logs in detail so that you can get detailed answers to questions with sensitive information that you cannot reveal here.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 502
Registered: ‎04-03-2007

Re: user log report @ip username

Airwave would provide you this sort of historic logging. You could then search by the mac address or IP address. If the user authenticated (thus providing a username) the username would be displayed. I recommend this if you are managing plenty of APs.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Search Airheads
Showing results for 
Search instead for 
Did you mean: