Security

Reply
Super Contributor I
Posts: 289
Registered: ‎02-07-2013

How to debug Authentication source

Hi,

Is there any way of enabling debugging of the use of an authentication source? I've created one that performs a simple mysql query to determine if a client is a locally managed machine ( select count(*) from mac_addresses where mac_address="%{Radius:IETF:Calling-Station-Id}" and  device_type_ptr=11).

 

When I use this in a WPA2-Enterprise service for a wireless lan, everything works and I can assign a local role via a role mapping (UoY Managed Machine)  if count(*)=1.

 

I've just set up a similar service for wired authentication and everything almost works :-((  Even though I've specified the auth source and the db entry has the correct stuff in it, I don't seem to get the expected response ( count(*) = 0). I've trippled checked the db contents and compared the 2 services but can't see what's going wrong.

 

I'd like to see what CPPM is doing when it invokes the auth source, keeping any other debugging to a minimum if possible. Is this doable?

 

Rgds

Alex

Guru Elite
Posts: 8,212
Registered: ‎09-08-2010

Re: How to debug Authentication source

Is the MAC address the same format for both wired and wireless in the
calling-station-id?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor I
Posts: 289
Registered: ‎02-07-2013

Re: How to debug Authentication source

Yup, we've standardised on upper case hex pairs delimted by "-" . Looking at the RADIUS inbound access request I can see its in the correct format.

 

At this moment I don't know if its actually calling the db , or passing the wrong info.

Guru Elite
Posts: 8,212
Registered: ‎09-08-2010

Re: How to debug Authentication source

Might be best to work with TAC to get the logs. You can turn on debugging
for the policy engine, but then you have to package up the logs. They can be
difficult to navigate.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 130
Registered: ‎06-11-2013

Re: How to debug Authentication source

If you are using MySQL you could also (temporary) enable query logging, see: http://stackoverflow.com/questions/6479107/how-to-enable-mysql-query-log


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Search Airheads
Showing results for 
Search instead for 
Did you mean: