12-16-2014 12:46 PM
Is there a way to collect client data from an Aruba Mobility Access switch that is not tunneled to the controller?
For example. I have my desktop connected to a Port on my switch. I do not have it tunneling back to the controller (no need since I am not doing authentication on the port) If I go into airwave and type in my IP it will not return my computer.
I do see my switches under APs/Devices, but I don't seem to get this info back.
Airwave Version 8.0.5
Access Switch S2500 Version 184.108.40.206
Solved! Go to Solution.
12-16-2014 01:19 PM
12-16-2014 01:24 PM
Ports are Trusted (The Gui says 'Enabled')
In AMP I do not see user data on the switches.
I wouldn't necessarily expect to see a username though, as devices on these ports would not be authenticating. I would expect the MAC of the device or something similar I suspect.
12-16-2014 04:22 PM
"Trusted" traffic is not collected or reported on, in general. Generally, you can expect reporting on traffic that is in the user table of a device. If it is not in the user table, it is trusted, and data is not aggregated in specific for that device.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
12-17-2014 06:37 AM
So because it is trusted I do not recieve any information about users?
I would expect to see at least a MAC address, as that's the lowest level I'd expect to be stored in a switch.
Is there any way to enable reporting on trusted traffic?
12-17-2014 07:50 AM
When a port is trusted, there is no authentication taking place so there are no "users". Effectively we are behaving like a traditional L2 switch. The MAC address table is read by Airwave but not exposed in the UI, this actually applies to all network devices in Airwave.
The only way to see "users" is to make the ports untrusted. Now if you just want to see the users but not do any type of user enforcement, you can put a simple AAA profile on the ports where the inital role is set to "authenticated".
12-17-2014 08:42 AM
I just want to clarify.
So there are two ways of doing this I can think of off the top of my head. The First is tunneling traffic to the controller so that I don't have to make any real changes to the switches. (since Authenticated is already setup there for our RAPs)
The other way, would be creating a AAA profile on the switch itself and applying that to the ports.
When I go in the GUI on the switch Configuration > Authentication
It gets stuck saying Please Wait..., can you direct me to a CLI way of creating this profile on the switch?
12-17-2014 08:44 AM - edited 12-17-2014 08:47 AM
aaa profile <name> initial-role authenticated !
interface-group gigabitethernet "ACCESS-PORTS" apply-to 0/0/1 lldp-profile "LLDP-PROF-1" poe-profile "POE-PROFILE-1" switching-profile "ACCESS-10" aaa-profile <name> no trusted port !
12-17-2014 08:47 AM
Yes you could tunnel the traffic to the controller but the easier solution assuming all you want to know is where a device is plugged in, what it's IP is, etc, would be to use the following:
aaa profile "SIMPLE-AUTH"
interface-group gigabitethernet "ACCESS-PORTS"
no trusted port