Security

Reply
Contributor I
Posts: 25
Registered: ‎06-27-2013

802.1x troubleshooting filter ID

Hi

 

Can anyone tell me which log will show the filter id sent from a RADIUS server? If I view a user debug log I can see that the client is authenticated and is assigned a vlan via a server derived rule but I do not see the nitty gritty of which ID was sent. I need this as I am working with a separate server management team and I want to show them exactly what the controller receives.

 

Thanks

 

Stewart

Guru Elite
Posts: 20,009
Registered: ‎03-29-2007

Re: 802.1x troubleshooting filter ID

Try this:

config t
logging level debugging security process authmgr
logging level debugging security subcat aaa

 Then type "show log security 50" to see the results.

Nov 6 04:59:18 :124105:  <DBUG> |authmgr|  MM: mac=70:56:81:b2:cc:15, state=5, name=employee, role=Byod-Authenticated, dev_type=OS X, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
Nov 6 04:59:18 :124004:  <DBUG> |authmgr|  AUTH GSM: USER uuid(0x6), mac(70:56:81:b2:cc:15), name(employee), role(Byod-Authenticated), devtype(OS X), wired(0), auth_type(4), auth_subtype(9), encrypt_type(10), conn_port(0)
Nov 6 04:59:18 :124234:  <DBUG> |authmgr|  Tx message to Sibyte, blocking with ack, Opcode = 17, msglen = 204 action = 1
Nov 6 04:59:18 :124004:  <DBUG> |authmgr|  vlan_alloc_update (vlan_alloc.c:140): Vlan Alloc  usage ; usage=10 vlan 1
Nov 6 04:59:18 :124004:  <DBUG> |authmgr|  AUTH GSM: DELETE MAC user 70:56:81:b2:cc:15
Nov 6 04:59:18 :124090:  <DBUG> |authmgr|  Free macuser 0x0x106a620c and user 0x0x10590e8c for mac 70:56:81:b2:cc:15.
Nov 6 04:59:18 :124004:  <DBUG> |authmgr|  AUTH GSM: USER DELETE uuid(0x6)
Nov 6 04:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:76] Find Request: id=10, srv=192.168.1.32, fd=78
Nov 6 04:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:82]  Current entry: srv=192.168.1.32, fd=78
Nov 6 04:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:37] Del Request: id=10, srv=192.168.1.32, fd=78
Nov 6 04:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1029] Authentication Successful
Nov 6 04:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1031] RADIUS RESPONSE ATTRIBUTES:
Nov 6 04:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RADIUS_ID: \012 
Nov 6 04:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  Rad-Length: 20 
Nov 6 04:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RADIUS_CODE: \005 
Nov 6 04:59:18 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:1046]  PW_RAD_AUTHENTICATOR: \246\344t\273\364\305\003\020:|\227\351j\335Hi 
Nov 6 04:59:18 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=radius-accounting, server=cppm-192.168.1.32, user=70:56:81:b2:cc:15 
Nov 6 04:59:18 :124004:  <DBUG> |authmgr|  Auth server 'cppm-192.168.1.32' response=0

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 25
Registered: ‎06-27-2013

Re: 802.1x troubleshooting filter ID

Thanks for the quick reply. Worked great,

MVP
Posts: 702
Registered: ‎03-25-2009

Re: 802.1x troubleshooting filter ID

[ Edited ]

So I thought I understood the logging level stuff.. however.. it seems I don't.

What weirds me out is that with both those commands you mentioned I do get the required output (filter-id returned).

I figured one of those debugs should warrant the same output as well but this seems incorrect.

 

This is what I tried to figure out exactly what command gives me the returned radius attributes. Each attempt I cleared the user-table so a new auth was triggered.

 

configure terminal logging level debugging security process authmgr
configure terminal logging level debugging security subcat aaa 
show log security all | include  Filter-Id  
=> Filter-Id: test 

configure terminal logging level debugging security process authmgr
configure terminal no logging level debugging security subcat aaa 
show log security all | include  Filter-Id  
=> NULL

configure terminal no logging level debugging security process authmgr
configure terminal logging level debugging security subcat aaa 
show log security all | include  Filter-Id  
=> NULL

configure terminal no logging level debugging security process authmgr
configure terminal no logging level debugging security subcat aaa 
configure terminal logging level debugging security
show log security all | include  Filter-Id  
=> NULL

configure terminal no logging level debugging security process authmgr
configure terminal no logging level debugging security subcat aaa 
configure terminal no logging level debugging security
configure terminal logging level debugging security process authmgr subcat aaa
show log security all | include  Filter-Id  
=> NULL configure terminal no logging level debugging security process authmgr subcat aaa configure terminal logging level debugging security process authmgr configure terminal logging level debugging security subcat aaa show log security all | include Filter-Id => Filter-Id: test

 

 

Not what I expected.

So can anyone explain why I'm getting more (diferent?) output when having both logging debug levels active at the same time as apposed to the 'sum' of both used seperately?

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 702
Registered: ‎03-25-2009

Re: 802.1x troubleshooting filter ID

Anyone that can explain those results?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: