Education

Reply
Regular Contributor I
Posts: 236
Registered: ‎04-03-2007

dual entries for each 802.1x connection

We're seeing dual entries logged for each successful 802.1x connection. One entry is from an RFC private IP (typcally 169.x.x.x but also 192.168.x.x) and the other is from our routed IP address space (a.k.a. the "expected" IP address). The time stamps are nearly identical (tenth of a second apart). A 'sh user' reveals that the user indeed has two active entries on the same local controller and on the same AP.

Has anyone else seen this? We know that with 802.1x the client can't request an IP until successful authentication. Is the client getting auth'd on their "current" IP, then auth'd again on their new IP? Can anything be doen about this?

Details below.

Thanks,
Mike


syslog_server# tail -f NET-local0-20091027 | grep 522008
Oct 27 14:07:02 2009 authmgr: <522008> |authmgr| User authenticated: Name=szan MAC=00:14:a5:7b:8e:ae IP=169.254.8.82 method=802.1x server=radsrv3 role=authenticated-802.1x

Oct 27 14:07:03 2009 authmgr: <522008> |authmgr| User authenticated: Name=szan MAC=00:14:a5:7b:8e:ae IP=128.119.77.157 method=802.1x server=radsrv3 role=authenticated-802.1x

--------------------------------------------------------
(lgrc-wac-106-4) #show user-table name szan
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
169.254.8.82 00:14:a5:7b:8e:ae szan authenticated-802.1x 00:00:00 802.1x NRSA-A407H-1 Associated UMASS-SECURE1X/00:1a:1e:a4:6e:01/g UMASS-SECURE
128.119.77.157 00:14:a5:7b:8e:ae szan authenticated-802.1x 00:00:00 802.1x NRSA-A407H-1 Associated UMASS-SECURE1X/00:1a:1e:a4:6e:01/g UMASS-SECURE
Guru Elite
Posts: 20,017
Registered: ‎03-29-2007

user-table


We're seeing dual entries logged for each successful 802.1x connection. One entry is from an RFC private IP (typcally 169.x.x.x but also 192.168.x.x) and the other is from our routed IP address space (a.k.a. the "expected" IP address). The time stamps are nearly identical (tenth of a second apart). A 'sh user' reveals that the user indeed has two active entries on the same local controller and on the same AP.

Has anyone else seen this? We know that with 802.1x the client can't request an IP until successful authentication. Is the client getting auth'd on their "current" IP, then auth'd again on their new IP? Can anything be doen about this?

Details below.

Thanks,
Mike


syslog_server# tail -f NET-local0-20091027 | grep 522008
Oct 27 14:07:02 2009 authmgr: <522008> |authmgr| User authenticated: Name=szan MAC=00:14:a5:7b:8e:ae IP=169.254.8.82 method=802.1x server=radsrv3 role=authenticated-802.1x

Oct 27 14:07:03 2009 authmgr: <522008> |authmgr| User authenticated: Name=szan MAC=00:14:a5:7b:8e:ae IP=128.119.77.157 method=802.1x server=radsrv3 role=authenticated-802.1x

--------------------------------------------------------
(lgrc-wac-106-4) #show user-table name szan
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- -------
169.254.8.82 00:14:a5:7b:8e:ae szan authenticated-802.1x 00:00:00 802.1x NRSA-A407H-1 Associated UMASS-SECURE1X/00:1a:1e:a4:6e:01/g UMASS-SECURE
128.119.77.157 00:14:a5:7b:8e:ae szan authenticated-802.1x 00:00:00 802.1x NRSA-A407H-1 Associated UMASS-SECURE1X/00:1a:1e:a4:6e:01/g UMASS-SECURE




Mike,

Each "user" in the table is considered a unique IP to mac address mapping. The first user was created when the client did not get an IP address initially and will be aged out of the table. The second user will persist. To not see these users, you can do a "show user-table unique", or use the "validuser" acl to correct this. Please see this post here: http://airheads.arubanetworks.com/vBulletin/showthread.php?t=1447
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Regular Contributor I
Posts: 236
Registered: ‎04-03-2007

Re: dual entries for each 802.1x connection

Thanks Colin,

Looking at the the referred post does this mean the 1918 IP addresses we're seeing is likely from the wired NIC on that device, and that the wired NIC is connected? Or is it that the client didn't complete the 802.1x auth process before the OS doled out a local IP? Or possibly both?

In any event I will explore using the 'validuser' ACL to prevent these unwanted sessions from entering the user table.

Mike
Guru Elite
Posts: 20,017
Registered: ‎03-29-2007

Leaks


Thanks Colin,

Looking at the the referred post does this mean the 1918 IP addresses we're seeing is likely from the wired NIC on that device, and that the wired NIC is connected? Or is it that the client didn't complete the 802.1x auth process before the OS doled out a local IP? Or possibly both?

In any event I will explore using the 'validuser' ACL to prevent these unwanted sessions from entering the user table.

Mike




Mike,

Windows "leaks" traffic from all interfaces through the wireless interface, so that could easily be VMWARE interfaces, as well. The Validuser ACL would be the easiest way to keep these entries out the user table.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Regular Contributor I
Posts: 236
Registered: ‎04-03-2007

Re: dual entries for each 802.1x connection

Thanks Colin!
Search Airheads
Showing results for 
Search instead for 
Did you mean: