04-23-2012 03:46 AM
When I see show user , i get different user state information even though the users are connected to same SSID doinng .1x .
What is the different between this ( 8021x-User and 802.1x ) once I have this Anounou users also connecting to CORP SSID ,
Am realy confused Please help
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ----
10.208.2.15 d0:df:9a:0c:9c:bf anounou authenticated 00:21:36 802.1x AAH_GF2_RAD_AP01 Wireless CORP/d8:c7:c8:83:2e:c0/g-HT CORP_AAA tunnel Win XP
10.208.3.12 74:de:2b:3b:0b:e3 comp\NRiju authenticated 00:01:16 802.1x AAH_1F2_ADMN_AP28 Wireless CORP/d8:c7:c8:83:3b:c0/g-HT CORP_AAA tunnel Win XP
10.208.4.11 1c:65:9d:84:70:2a host/037066DHD284217.comp.org.qa authenticated 07:18:37 8021x-Machine AAH_1F1_LIFT_AP43 Wireless CORP/d8:c7:c8:85:2d:00/g-HT CORP_AAA tunnel Windows
10.208.4.13 00:24:d7:60:e7:8c comp.ORG.QA\nramal authenticated 00:01:20 802.1x AAH_GF1_CR_AP18 Wireless CORP/d8:c7:c8:83:20:b0/a-HT CORP_AAA tunnel Win XP
10.208.4.15 d0:df:9a:0f:ea:67 comp.ORG.QA\cghariani authenticated 06:00:02 8021x-User AAH_GF3_PHRM_AP21 Wireless CORP/d8:c7:c8:87:63:20/g-HT CORP_AAA tunnel Win XP
10.208.5.11 08:86:3b:66:29:dd host/037065DHS313156.comp.org.qa authenticated 00:01:14 8021x-Machine AAH_GF2_RAD_AP01 Wireless CORP/d8:c7:c8:83:2e:d0/a-HT CORP_AAA tunnel Win XP
10.208.5.13 d0:df:9a:0c:9c:fc comp\relwahab authenticated 00:01:09 802.1x AAH_GF2_RAD_AP03 Wireless CORP/d8:c7:c8:83:30:80/g-HT CORP_AAA tunnel Win XP
10.208.5.14 08:86:3b:70:0a:2f rhussein1 authenticated 05:15:24 802.1x AAH_GF2_RAD_AP01 Wireless CORP/d8:c7:c8:83:2e:d0/a-HT CORP_AAA tunnel Win XP
Can you advice why these uses are named in different way ,
04-23-2012 05:21 AM
802.1x means that both user and machine auth has passed.
802.1x-User means that the user authetnication passed, but the controller did not see a valid machine auth within the machine auth cache timeout.
802.1x-Machine means that machine auth has passed, but a user has not yet logged in (notice the "host/" in front of the user name... that means the machine has logged into the WLAN).
Typically, the machine and user only roles would be more restrictive than the role assigned if both pass. That way, a non-domain computer can't access all of the resources that a domain computer can. You have to balance that, however, with your need to support non-Windows machines, since they either cant or at least are more difficult to join the domain.
04-30-2012 06:09 AM
I have one more question , customer have both machine Auth and User Auth , so what I found is once the user log off from same Desktop and relogin with another user , user status going to Machine Auth , but once after the sucesful User authernitcation its still showing Machine Autheticated on show user output on controller , once we delete the user from controller then its show the proper user which is authnticated on that PC ,
is there any Config need to be recheck ,
04-30-2012 06:20 AM
I am not sure why that would happen. The controller should track the current status of the users. When a user logs out, the controller should show the host name as the user record (host/<machine name>), assuming that machine is part of your domain.
Once the second user logs in, the controller should update the user record with the correct name.
Do the roles have a VLAN set? Is it possible that you have BOTH the machine name and the user name in the user table? Do "show user | inc <mac of the client>" and see if you see both.
04-30-2012 07:57 AM
Thanks for your prompt Replay
You are right once the user logs out the controller showing the user record as this (host/<machine name>), but when any other user logs in it is not changing the status unless we do aaa user delete mac machine name
dont have any vlan set role ,
Show user | inc <Mac > its shows only one entry ,
Really confused ....
04-30-2012 08:42 AM
That is strange. I would turn on debugging (logging level debug user-debug <mac>) and watch to see what happens (the logs will be in "show log user-debug all"). Once you turn on debugging for that mac address, you will also see only that mac address in the "show auth-tracebuf" command. It can be useful to figure out things like this as well.
If you don't see anything out of the ordinary there, open a TAC case and see if they can get to the bottom of it.