Command of the Day

Reply
Guru Elite
Posts: 21,520
Registered: ‎03-29-2007

COTD: logging authentication events

[ Edited ]

If you only want to see users that authenticate, how they authenticated, time date, etc, you need to configure your logging properly. First see what kind of logging you have in place. Use "show logging level verbose":

(3600.arubanetworks.com) # show logging level verbose 

LOGGING LEVELS
--------------
Facility Level Sub Categorey Process
-------- ----- ------------- -------
network warnings N/A N/A
security warnings N/A N/A
system warnings N/A N/A
user warnings N/A N/A
wireless warnings N/A N/A


All your logging levels should start at warnings. We want to change the logging level of the authmgr process to informational:

config t
logging level informational security process authmgr

You would then do "show log security (x)" to see your user authentications:

Mar 14 09:40:15 :522008:   |authmgr|  User authenticated: Name=jroberts MAC=00:25:00:37:b7:f2 IP=172.16.33.252 method=802.1x server=corp-supersvr role=corp-staff-split
Mar 14 10:10:29 :522008: |authmgr| User authenticated: Name=jroberts MAC=00:25:00:37:b7:f2 IP=172.16.33.252 method=802.1x server=corp-supersvr role=corp-staff-split
Mar 14 10:45:17 :522008: |authmgr| User authenticated: Name=jroberts MAC=00:23:6c:90:05:11 IP=172.16.33.253 method=802.1x server=corp-supersvr role=corp-staff-split
Mar 14 11:10:29 :522008: |authmgr| User authenticated: Name=jroberts MAC=00:25:00:37:b7:f2 IP=172.16.33.252 method=802.1x server=corp-supersvr role=corp-staff-split
Mar 14 11:35:45 :522008: |authmgr| User authenticated: Name=dwilliams MAC=00:00:00:00:00:00 IP=172.16.32.78 method=VIA-VPN server=n/a role=default-via-role
Mar 14 11:37:36 :522008: |authmgr| User authenticated: Name=dwilliams MAC=00:00:00:00:00:00 IP=172.16.32.79 method=VIA-VPN server=n/a role=default-via-role
Mar 14 11:39:43 :522008: |authmgr| User authenticated: Name=dwilliams MAC=00:00:00:00:00:00 IP=172.16.32.80 method=VIA-VPN server=n/a role=default-via-role
Mar 14 11:40:44 :522008: |authmgr| User authenticated: Name=jroberts MAC=00:25:00:37:b7:f2 IP=172.16.33.252 method=802.1x server=corp-supersvr role=corp-staff-split
Mar 14 11:44:36 :522008: |authmgr| User authenticated: Name=corp-guest-split MAC=00:23:12:53:1d:f4 IP=172.16.34.235 method=Web server=Internal role=corp-guest-role
Mar 14 11:47:48 :522008: |authmgr| User authenticated: Name=corp-guest-split MAC=00:23:12:53:1d:f4 IP=172.16.34.235 method=Web server=Internal role=corp-guest-split
Mar 14 11:59:37 :522008: |authmgr| User authenticated: Name=corp-guest MAC=00:23:12:53:1d:f4 IP=172.16.34.235 method=Web server=Internal role=corp-guest-role
Mar 14 12:10:56 :522008: |authmgr| User authenticated: Name=corp-guest-split MAC=00:23:12:53:1d:f4 IP=172.16.34.235 method=Web server=Internal role=corp-guest-split
Mar 14 12:10:59 :522008: |authmgr| User authenticated: Name=jroberts MAC=00:25:00:37:b7:f2 IP=172.16.33.252 method=802.1x server=corp-supersvr role=corp-staff-split
Mar 14 12:12:36 :522008: |authmgr| User authenticated: Name=corp-guest MAC=00:23:12:53:1d:f4 IP=172.16.34.235 method=Web server=Internal role=corp-guest-role
Mar 14 12:15:14 :522008: |authmgr| User authenticated: Name=corp-guest-split MAC=00:23:12:53:1d:f4 IP=172.16.34.235 method=Web server=Internal role=corp-guest-split
Mar 14 12:17:30 :522008: |authmgr| User authenticated: Name=jroberts MAC=00:25:00:37:b7:f2 IP=172.16.33.252 method=802.1x server=corp-supersvr role=corp-staff-split
Mar 14 12:52:49 :522008: |authmgr| User authenticated: Name=jroberts MAC=00:25:00:37:b7:f2 IP=172.16.33.252 method=802.1x server=corp-supersvr role=corp-staff-split

Now we can see authentications for 802.1x, Web (Captive Portal), mac, as well as VPN users


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎11-17-2009

Multicast Encryption Mismatch

Colin,
This opened a can of worms. Now I am seeing many of these errors:

Mar 15 05:07:28 :501068: |stm| Source: 00:22:fb:40:a4:84 Failed AP 10.7.56.176-00:1a:1e:f1:f9:00-wp05wap3 Multicast Encryption Mismatch

I searched Airheads archive but only found one similiar unanswered question. Can you explain and is there a fix?

Thanks, Tom
Occasional Contributor II
Posts: 23
Registered: ‎10-06-2009

Re: COTD: logging authentication events

cjoseph,
thanks for the tip once again. does this logging take cpu and memory from the controller?
thanks. g
Guru Elite
Posts: 21,520
Registered: ‎03-29-2007

Multicast Encryption Mismatch


Colin,
This opened a can of worms. Now I am seeing many of these errors:

Mar 15 05:07:28 :501068: |stm| Source: 00:22:fb:40:a4:84 Failed AP 10.7.56.176-00:1a:1e:f1:f9:00-wp05wap3 Multicast Encryption Mismatch

I searched Airheads archive but only found one similiar unanswered question. Can you explain and is there a fix?

Thanks, Tom




Tom,

This message normally means two things in general:

A user has entered the wrong preshared key for a WPA or WPA2 preshared key network, or needs to upgrade the driver on their wireless client.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 21,520
Registered: ‎03-29-2007

Little


cjoseph,
thanks for the tip once again. does this logging take cpu and memory from the controller?
thanks. g




Not so much.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 23
Registered: ‎10-06-2009

Re: COTD: logging authentication events

cjoseph,
I have a master and two local switches. This command would be done at the local switch level and not the master, right?
Guru Elite
Posts: 21,520
Registered: ‎03-29-2007

Local it is

Gonzalo,

That is local.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎11-17-2009

Thanks

Thanks Colin
Search Airheads
Showing results for 
Search instead for 
Did you mean: