Controller Based WLANs

Why do we see Unknown External Agent" response code from XML API Servere?

by on ‎07-16-2014 07:38 AM

Environment  : Any Aruba Controller and any Aruba OS.

 

We keep getting "unknown external agent" error when captive portal calls Aruba XML API to initiate authentication process:

 

 

<aruba>

 

<status>Error</status>

 

<code>3</code>

 

<reason>unknown external agent</reason>

 

</aruba>
 
Need to map the XML API server to the AAA profile default-xml-api
 
Issue is resolved by mapping the XML API Server to the default profile "default-xml-api":

config term 
  aaa profile default-xml-api   xml-api-server 11.10.10.1 
write mem 
 
To observe the error response code from XML server, we should enabling security debugging:  
 
# config term
# logging level debugging security process authmgr
# write mem

Then perform an XML query as a test from xml-server.  When we have 3 or 4 times failure, we could check 
“show log security all | include authmgr”

Example:
 
(Aruba) #show log security all | include authmgr
Sep 23 16:23:56 :124032:  <WARN> |authmgr|  XML command=user_add (0) result='Error', error='unknown external agent'
Sep 23 16:24:28 :124032:  <WARN> |authmgr|  XML command=user_add (0) result='Error', error='unknown external agent'
Sep 23 16:29:09 :124032:  <WARN> |authmgr|  XML command=user_add (0) result='Error', error='unknown external agent'
Sep 23 16:43:28 :124230:  <DBUG> |authmgr|  Rx message 14001/5221, length 219 from 127.0.0.1:8220
Sep 23 16:44:17 :124230:  <DBUG> |authmgr|  Rx message 1003/5, length 1016 from 127.0.0.1:8407
Sep 23 17:00:24 :124004:  <DBUG> |authmgr|  RX (sock) message of type 50, len 1172 
Sep 23 17:00:24 :124030:  <INFO> |authmgr|  Received XML API cmd=user_add, agent=11.10.10.1 IP=172.16.0.254
Sep 23 17:00:24 :124004:  <DBUG> |authmgr|   IP=172.16.0.254, MAC=00:13:ce:eb:5b:c8, name='Aruba123'
Sep 23 17:00:24 :124004:  <DBUG> |authmgr|   role='authenticated', tout=30, vers='1.0'
Sep 23 17:00:24 :124004:  <DBUG> |authmgr|   auth='MD5', key(32)='b379885e1e8d8554c01627b20af76f15'
Sep 23 17:00:24 :124032:  <WARN> |authmgr|  XML command=user_add (0) result='Error', error='unknown external agent'
Sep 23 17:08:13 :124004:  <DBUG> |authmgr|  RX (sock) message of type 50, len 1172 
Sep 23 17:08:13 :124030:  <INFO> |authmgr|  Received XML API cmd=user_add, agent=11.10.10.1 IP=172.16.0.254
Sep 23 17:08:13 :124004:  <DBUG> |authmgr|   IP=172.16.0.254, MAC=00:13:ce:eb:5b:c8, name='Aruba123'
Sep 23 17:08:13 :124004:  <DBUG> |authmgr|   role='authenticated', tout=30, vers='1.0'
Sep 23 17:08:13 :124004:  <DBUG> |authmgr|   auth='cleartext', key(7)='netcity'
Sep 23 17:08:13 :124032:  <WARN> |authmgr|  XML command=user_add (0) result='Error', error='unknown external agent'

This issue is resolved by mapping the XML API Server to the default AAA profile "default-xml-api" even though we may see this profile is not mapped to the Virtual AP Profile (VAP) under question.  Note that this configuration is required in addition to the AAA Profile configured for the VAP i.e the required sample configuration is as follow:

aaa xml-api server "11.10.10.1"
   key "aruba@xml123"

aaa profile "aaa-remote-xml2"
   initial-role "aruba-xml-role"
   authentication-dot1x "default"
   dot1x-server-group "radius-server"
   radius-accounting "radius-server"
   xml-api-server "11.10.10.1"

aaa profile default-xml-api   xml-api-server 11.10.10.1 <<<<<<<<<<<<<<<<<<<<

The "default-xml-api" is a special fallback AAA profile and it is needed for sending the XML-API command without Mac address in the content.  Generally, XML-API relies on the "mac-address" to identify the client and its aaa profile.  If the mac-address's aaa profile does NOT have XML-API-server, it ends up as unknown external agent.  Also, if there is no mac-address within the XML-API and this "default-xml-api" aaa profile is empty, it also returns "unknown external agent".

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.