Wireless Access

Reply
Occasional Contributor I
Posts: 7
Registered: ‎04-18-2012

Difference between 8021x-User and 802.1x

Hi 

 

 When I see show user , i get different user state  information even though the users are connected to same SSID  doinng .1x .

Authentication

 

   What is the different between this ( 8021x-User  and 802.1x  )  once I have this Anounou  users also connecting to CORP SSID ,

 

 Am realy confused Please help

 

 

 

Users
-----
    IP            MAC            Name                            Role           Age(d:h:m)  Auth           VPN link  AP name            Roaming   Essid/Bssid/Phy                  Profile       Forward mode  Type
----------   ------------       ------                           ----           ----------  ----           --------  -------            -------   ---------------                  -------       ------------  ----
10.208.2.15  d0:df:9a:0c:9c:bf  anounou                          authenticated  00:21:36    802.1x                   AAH_GF2_RAD_AP01   Wireless  CORP/d8:c7:c8:83:2e:c0/g-HT  CORP_AAA  tunnel        Win XP
10.208.3.12  74:de:2b:3b:0b:e3  comp\NRiju                        authenticated  00:01:16    802.1x                   AAH_1F2_ADMN_AP28  Wireless  CORP/d8:c7:c8:83:3b:c0/g-HT  CORP_AAA  tunnel        Win XP
10.208.4.11  1c:65:9d:84:70:2a  host/037066DHD284217.comp.org.qa  authenticated  07:18:37    8021x-Machine            AAH_1F1_LIFT_AP43  Wireless  CORP/d8:c7:c8:85:2d:00/g-HT  CORP_AAA  tunnel        Windows
10.208.4.13  00:24:d7:60:e7:8c  comp.ORG.QA\nramal                authenticated  00:01:20    802.1x                   AAH_GF1_CR_AP18    Wireless  CORP/d8:c7:c8:83:20:b0/a-HT  CORP_AAA  tunnel        Win XP
10.208.4.15  d0:df:9a:0f:ea:67  comp.ORG.QA\cghariani             authenticated  06:00:02    8021x-User               AAH_GF3_PHRM_AP21  Wireless  CORP/d8:c7:c8:87:63:20/g-HT  CORP_AAA  tunnel        Win XP
10.208.5.11  08:86:3b:66:29:dd  host/037065DHS313156.comp.org.qa  authenticated  00:01:14    8021x-Machine            AAH_GF2_RAD_AP01   Wireless  CORP/d8:c7:c8:83:2e:d0/a-HT  CORP_AAA  tunnel        Win XP
10.208.5.13  d0:df:9a:0c:9c:fc  comp\relwahab                     authenticated  00:01:09    802.1x                   AAH_GF2_RAD_AP03   Wireless  CORP/d8:c7:c8:83:30:80/g-HT  CORP_AAA  tunnel        Win XP
10.208.5.14  08:86:3b:70:0a:2f  rhussein1                         authenticated  05:15:24    802.1x                   AAH_GF2_RAD_AP01   Wireless  CORP/d8:c7:c8:83:2e:d0/a-HT  CORP_AAA  tunnel        Win XP

 

 

Can you advice why these uses are named in different  way ,

 

 

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Difference between 8021x-User and 802.1x

802.1x means that both user and machine auth has passed.

 

802.1x-User means that the user authetnication passed, but the controller did not see a valid machine auth within the machine auth cache timeout.

 

802.1x-Machine means that machine auth has passed, but a user has not yet logged in (notice the "host/" in front of the user name... that means the machine has logged into the WLAN).

 

Typically, the machine and user only roles would be more restrictive than the role assigned if both pass.  That way, a non-domain computer can't access all of the resources that a domain computer can.  You have to balance that, however, with your need to support non-Windows machines, since they either cant or at least are more difficult to join the domain.

Occasional Contributor I
Posts: 7
Registered: ‎04-18-2012

Re: Difference between 8021x-User and 802.1x

Thanks Olino,

 

I have one more  question ,  customer have both  machine Auth and User Auth , so what I found is once the user log off from same Desktop and  relogin with another user , user status going to Machine Auth , but once after the sucesful User authernitcation  its still showing  Machine Autheticated on show user output on controller  , once we delete the user from  controller then its  show the proper user  which is authnticated on that PC ,

 

is there any Config need to be recheck ,

 

Thanks

BR

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Difference between 8021x-User and 802.1x

I am not sure why that would happen.  The controller should track the current status of the users.  When a user logs out, the controller should show the host name as the user record (host/<machine name>), assuming that machine is part of your domain.

 

Once the second user logs in, the controller should update the user record with the correct name.

 

Do the roles have a VLAN set?  Is it possible that you have BOTH the machine name and the user name in the user table?  Do "show user | inc <mac of the client>" and see if you see both.

Occasional Contributor I
Posts: 7
Registered: ‎04-18-2012

Re: Difference between 8021x-User and 802.1x

Thanks for your prompt Replay

 

 

 You are right once the user logs out  the controller showing the user record   as this (host/<machine name>),  but when any other user logs in it is not changing the status  unless we do aaa user delete  mac  machine name

 

 

dont have any vlan set role ,

 

Show user  | inc <Mac > its shows only one entry ,

 

Really confused ....

 

:

 

Thanks

BR

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Difference between 8021x-User and 802.1x

That is strange.  I would turn on debugging (logging level debug user-debug <mac>) and watch to see what happens (the logs will be in "show log user-debug all").  Once you turn on debugging for that mac address, you will also see only that mac address in the "show auth-tracebuf" command.  It can be useful to figure out things like this as well.

 

If you don't see anything out of the ordinary there, open a TAC case and see if they can get to the bottom of it.

Search Airheads
Showing results for 
Search instead for 
Did you mean: