Command of the Day

Reply
Guru Elite

COTD: Remove a user from the user table immediately upon disassociation

Many of us know that when users roam out of coverage, close their laptops or shut off their wireless cards, they still stay in the user table on the controller for a varying set of minutes.  There is a benefit to this for Captive Portal users, so they they don't have to log back in after being disassociated for a few minutes.  For 802.1x or any flavor of PSK, however, having disassociated users in the user table artificially inflates the size of the user table.  If you want a user to be removed from the user table immediately when the device disassociates, in the AAA profile, enable the User idle timeout parameter and set the seconds to 0.:

Screenshot 2017-12-21 at 22.49.57.png

Dec 21 22:57:51 :522296:  <4480> <DBUG> |authmgr|  Auth GSM : USER_STA delete event for user 10:f2:fb:82:ab:ca age 0 deauth_reason 3
Dec 21 22:57:51 :522036:  <4480> <INFO> |authmgr|  MAC=10:f2:fb:82:ab:ca Station DN: BSSID=00:24:6c:33:08:ca ESSID=ACME-TLS VLAN=1 AP-name=Conference-Room-335
Dec 21 22:57:51 :522261:  <4480> <DBUG> |authmgr|  "User MAC:10:f2:fb:82:ab:ca: purge IP:192.168.1.150.
Dec 21 22:57:51 :522111:  <4480> <DBUG> |authmgr|  AU1(4), HA1, TAP0, PARP0 OIP0 IIP0 INT0 WD0 FW2 DT1.
Dec 21 22:57:51 :501105:  <NOTI> |AP Conference-Room-335@192.168.1.234 stm|  Deauth from sta: 10:f2:fb:82:ab:ca: AP 192.168.1.234-00:24:6c:33:08:ca-Conference-Room-335 Reason STA has left and is deauthenticated
Dec 21 22:57:51 :522130:  <4480> <DBUG> |authmgr|  {192.168.1.150} datapath entry deleted.
Dec 21 22:57:51 :501000:  <DBUG> |AP Conference-Room-335@192.168.1.234 stm|  Station 10:f2:fb:82:ab:ca: Clearing state
Dec 21 22:57:51 :522301:  <4480> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 0x8f23c8b8b5f800ef mac 10:f2:fb:82:ab:ca name employee role authenticated devtype Linux wired 0 authtype 4 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 2
Dec 21 22:57:51 :522005:  <4480> <INFO> |authmgr|  MAC=10:f2:fb:82:ab:ca IP=192.168.1.150 User entry deleted: reason=user request
Dec 21 22:57:51 :522128:  <4480> <DBUG> |authmgr|  download-L2: acl=89/0 role=authenticated, tunl=0x0x10024, PA=0, HA=1, RO=0, VPN=0 L3MOB=0.
Dec 21 22:57:51 :522050:  <4480> <INFO> |authmgr|  MAC=10:f2:fb:82:ab:ca,IP=N/A User data downloaded to datapath, new Role=authenticated/89, bw Contract=0/0, reason=Station resetting role, idle-timeout=0
Dec 21 22:57:51 :522262:  <4480> <DBUG> |authmgr|  "User MAC:10:f2:fb:82:ab:ca: Total users purged = 1.
Dec 21 22:57:51 :522152:  <4480> <DBUG> |authmgr|  station free: bssid=00:24:6c:33:08:ca, @=0x0x1325e84.
Dec 21 22:57:51 :522244:  <4480> <DBUG> |authmgr|  MAC=10:f2:fb:82:ab:ca Station Deleted Update MMS
Dec 21 22:57:51 :522301:  <4480> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 0x8f23c8b8b5f800ef mac 10:f2:fb:82:ab:ca name employee role authenticated devtype Linux wired 0 authtype 4 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 2
Dec 21 22:57:51 :522290:  <4480> <DBUG> |authmgr|  Auth GSM : MAC_USER delete for mac 10:f2:fb:82:ab:ca
Dec 21 22:57:51 :522303:  <4480> <DBUG> |authmgr|  Auth GSM : USER delete for mac 10:f2:fb:82:ab:ca uuid 0x8f23c8b8b5f800ef 
Dec 21 22:57:51 :527004:  <4057> <INFO> |mdns|  mdns_parse_auth_useridle_message 169 Auth User Idle Timeout: MAC:10:f2:fb:82:ab:ca
Dec 21 22:57:51 :527000:  <4057> <DBUG> |mdns|  ag_ssdp_get_token_list_for_mac 364 AirGroup user exists but ssdp_token_list does not: mac=10:f2:fb:82:ab:ca
Dec 21 22:57:51 :527000:  <4057> <DBUG> |mdns|  ag_mdns_get_token_list_for_mac 665 AirGroup user exists but token_list does not: mac=10:f2:fb:82:ab:ca
Dec 21 22:57:51 :527000:  <4057> <DBUG> |mdns|  mdns_client_purge 1163 Purge mdns client, mac=10:f2:fb:82:ab:ca, del_client = 1
Dec 21 22:57:51 :522038:  <3844> <NOTI> |authmgr|  username=employee MAC=10:f2:fb:82:ab:ca IP=192.168.1.150 Authentication result=Authentication Successful method=radius-accounting server=CPPM
Dec 21 22:57:51 :501000:  <3859> <DBUG> |stm|  Station 10:f2:fb:82:ab:ca: Clearing state

The device above was an android device that I shut off the wireless radio. 

 

This applies to devices that actually send a deauth.  For devices where the battery is just removed, they are subject to the ageout parameter in the SSID profile (1000 seconds by default), which determines when to remove them.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: