09-28-2012 06:45 AM
We used to get log messages indicating user authentication success/failure from our controllers. At some point in the past this stopped, and I need to figure out how to restart it. I figured it would be easy, but the Aruba manual entry on logging is singularly unhelpful in telling you what gets logged inside what category.
I know the messages used to come with the "authmgr" tag on them and I found this COD from 2010
However I have not been able to get logging configured so that a "show log user 100" shows me users authenticating. Lots of messages sure, but not the ones I need.
# show logging level verbose LOGGING LEVELS -------------- Facility Level Sub Category Process -------- ----- ------------ ------- network warnings N/A N/A security warnings N/A N/A security debugging N/A authmgr system warnings N/A N/A user warnings N/A N/A wireless warnings N/A N/A
This config doesn't appear to work. I'm checking first on the controller, not just on the syslog server.
The messages I want used to look like this :
Oct 8 06:34:48 example.com 2010 [22.214.171.124] authmgr: <522008> |authmgr| User authenticated: Name=zzzzz MAC=00:00:00:00:00:00 IP=x.x.x.x method=802.1x server=radius-server role=defintely-authenticated
Anyone else have user auth logging set up and want to share their logging statements, or does this work for everyone else and I need to open a TAC case to investigate....
09-28-2012 07:03 AM
(you want show log security 50)
(host) #show logging level verbose LOGGING LEVELS -------------- Facility Level Sub Category Process -------- ----- ------------ ------- network warnings N/A N/A security warnings N/A N/A system warnings N/A N/A user warnings N/A N/A wireless warnings N/A N/A (host) #configure t Enter Configuration commands, one per line. End with CNTL/Z (host) (config) #logging level debugging security process authmgr (host) (config) #exit (host) #show log security 50
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
09-28-2012 08:10 AM
Yes that gives me the logs for authmgr. Apparently somewhere in the 6.x upgrade from 5.x, the logging messages changed because even setting the severity to DEBUG doesn't produces the "User Authenticated" messages we saw previously.
I found something sort of similar at the INFO level, but the verbosity of the logs on a busy controller at INFO is voluminous. 450+ messages/minute.
Its too bad becasue we had support staff trained to look in log dumps for those messages to help diagnose problems.