Wireless Access

I notice a difference in the numbers of users between these two commands

When "show ap association ap-name 128.9.6" is entered it returns "Num Clients:58

When "show user location 128.9.6" is entered it returns "User Entries: 9/9"

These numbers vary greatly for any ap I issue them on.

It looks like the user density numbers in the controller monitoring GUI  and Airwave are based on the association numbers.  I have surveyed and the "show user" command provides the accurate numbers.  The ap association numbers are apparently stale and some of the associations that show association times of hours to days have apparently long since gone away.  If i search for the user mac address it cannot be found anywhere except in the association table.  This skews our user numbers way out of proportion.  Is something wrong or am I simply looking at this wrong?

As per my understanding,

AP association may show you some clients which are just associated to the AP but did not pass authentication (for e.g. dot1x or PSK).

User-table will show you the clients once they pass L2 auth and received IP address. 

You should check for "show ap debug client-table ap-name <ap-name>" command, which should match User-table entries for that AP if I am not wrong.

I tried that and it does match the "show user location" command, but, the "show ap association ap-name" shows clients that have been associated for hours (and the association timers are incrementing) that are simply not out there.  It really looks like the association tables don't always update.

I am having a similar issue that from the sounds of it, is probably related, when i run the show ap association command it says i have 0 clients.  If i go into the web interface it says i have 4 clients on that AP.  Something is not adding up and i am trying to figure out why.

Edit: after posting this i tried running the ap debug client-table command as suggested in this thread.  it dies show the 4 connections to the AP.  what is the difference in these commands?  It looks like Airwave is using the ap associations command because it shows no users.  is this really accurate?

What ArubaOS version are you running?

Also, do you have dos-prevention enabled under your "virtual-ap" profile?

I am running 6.1.3.0.  i am curius if the original poster is running something similar.

i do not have DOS-prevention enabled.

---

@mwallen wrote:

I am running 6.1.3.0.  i am curius if the original poster is running something similar.

 

i do not have DOS-prevention enabled.

---

Please open a TAC case for this issue. 

Thanks,

--

HT

We are on 6.1.2.2,

Any progress with the same issue? We are using 6.1.2.4 on our cotrollers.

Can anyone of you please open the TAC ticket for faster resolution and provide the ticket number here?

Debugging the issue on this forum may not be possible and take longer time. Once we figure out the issue, we can put solution on this thread too...

i have opened a case and am working with Aruba.  If i get any information i will post it.

I am opening a ticket today!

Well, when we disabled "DoS Prevention" in Virtual AP profiles, the numbers start to match ;-)

We definetely can observe, now, that the number of associated clients per an access point is not accummulating.

Both commands: #show ap association ap-name <AP_NAME> and #show user location <AP_NAME> show matching numbers.

Our software version: AOS-W 6.1.2.4, Build number:30768

In  ArubaOS 6.1 UG, there is definition of how "DoS Prevention" works:

"If enabled, APs ignore deauthentication frames from clients. This prevents a successful
deauthorization attack from being carried out against the AP. This does not affect thirdparty
APs. Default: Disabled"

So, question now: is it the bug in 6.1.x.x ? We wish this feature will be enabled, coz our WIP on our controlles detects a number of

"Block ACK DoS Attacks" and "Power Save DoS Attacks".

---

@malik wrote:

Well, when we disabled "DoS Prevention" in Virtual AP profiles, the numbers start to match ;-)

We definetely can observe, now, that the number of associated clients per an access point is not accummulating.

Both commands: #show ap association ap-name <AP_NAME> and #show user location <AP_NAME> show matching numbers.

Our software version: AOS-W 6.1.2.4, Build number:30768

In  ArubaOS 6.1 UG, there is definition of how "DoS Prevention" works:

"If enabled, APs ignore deauthentication frames from clients. This prevents a successful
deauthorization attack from being carried out against the AP. This does not affect thirdparty
APs. Default: Disabled"

So, question now: is it the bug in 6.1.x.x ? We wish this feature will be enabled, coz our WIP on our controlles detects a number of

"Block ACK DoS Attacks" and "Power Save DoS Attacks".

 

---

Any update on this after changing the IDS profile setting?