Wireless Access

Hi,

Can someone help me translate the following from the 'show session table' please?

(ARUBA3600) #show datapath session verbose


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop


Session Index, Route/Cache Index, Agg. Version Number[SIDX SRTI SRCI SRTRCV]

Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      SIDX     SRTI SRCI     SRTRCV   UsrIdx   UsrVer   AclVer   NhIdx    NhVer    Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- -------- ---- -------- -------- -------- -------- -------- -------- -------- ---------------
F4:0F:1B:F3:7F:03               2000              0/0     0    0   0   1/1         2    0          0          1bfe5    0    0        0        8        e94      0        0        0        F

This is the MAC address of a switch interface connected to an untrusted port on an Aruba controller within a lab enviroment. This MAC address keeps showing up in Clearpass every 5 - 10 minutes within the access tracker and I'm trying to find out why as the same problem is also occuring with our production Clearpass implementation.

Cheers

Shaun

It looks like the AAA profile for your untrusted port has mac authentication enabled.and it is pointing at your radius server..

Sorry that doesn't answer my question..

Yes you are right that is exactly how this has been configured... But why do I see all of these attempts from the MAC address of the switch interface?

Is this normal?

If the switch itself is not sending any traffic on that untrusted interface for 5 to 10 minutes, it will disappear from the user table and will be challenged to reauthenticate again.  Is it normal?  I don't know what traffic that switch is passing that has a source address of its wired mac address...

When I port mirror both the Aruba untrusted interface and the Cisco interface there is no traffic, just BPDUs. There are no devices down stream of the switch, it's a completly isolated lab enviroment. The switch interface MAC address does not show up in the user table at all.

My problem is related to this post: http://community.arubanetworks.com/t5/Wireless-Access/Using-default-VLAN-0/td-p/303677

If you look at the clearpass access tracker the event is occuring every 7.5 minutes, when I look at the logs on the controller every 7.5 minutes I see the following error, followed by other errors regarding the MAC address in question:

|authmgr| auth_send_vlan_usage_to_stm Sending STM wired vlan info: vlan 40, status DOWN

|authmgr| Free macuser 0x0x10d470d4 and user 0x0x105cd9d4 for mac f4:0f:1b:f3:7f:03.

Any ideas?

A device requires an ip address and mac address to show up in the user table.  It looks like non-ip traffic is triggering the mac authentication.  After the traffic stops, the mac address ages out of the station table.  That is all I can tell from the information above.

Colin,

Thanks for your persistence with me, I have now managed to track the traffic down.

It was Configuration Test Protocol (loopback) causing the problem, when I turned CTP off using 'no keepalive' on the interface the traffic no longer hit my untrusted interface.

Thanks again for your help

Cheers

Shaun