Is there a way to collect client data from an Aruba Mobility Access switch that is not tunneled to the controller?
For example. I have my desktop connected to a Port on my switch. I do not have it tunneling back to the controller (no need since I am not doing authentication on the port) If I go into airwave and type in my IP it will not return my computer.
I do see my switches under APs/Devices, but I don't seem to get this info back.
Airwave Version 8.0.5
Access Switch S2500 Version 18.104.22.168
Are your ports trusted or untrusted?
When you look at the switch in AMP, do you see users listed?
Ports are Trusted (The Gui says 'Enabled')
In AMP I do not see user data on the switches.
I wouldn't necessarily expect to see a username though, as devices on these ports would not be authenticating. I would expect the MAC of the device or something similar I suspect.
"Trusted" traffic is not collected or reported on, in general. Generally, you can expect reporting on traffic that is in the user table of a device. If it is not in the user table, it is trusted, and data is not aggregated in specific for that device.
So because it is trusted I do not recieve any information about users?
I would expect to see at least a MAC address, as that's the lowest level I'd expect to be stored in a switch.
Is there any way to enable reporting on trusted traffic?
When a port is trusted, there is no authentication taking place so there are no "users". Effectively we are behaving like a traditional L2 switch. The MAC address table is read by Airwave but not exposed in the UI, this actually applies to all network devices in Airwave.
The only way to see "users" is to make the ports untrusted. Now if you just want to see the users but not do any type of user enforcement, you can put a simple AAA profile on the ports where the inital role is set to "authenticated".
That's actually a brilliant idea. I had not thought about that as an option. That should suit my needs well.
Thanks for your help!
I just want to clarify.
So there are two ways of doing this I can think of off the top of my head. The First is tunneling traffic to the controller so that I don't have to make any real changes to the switches. (since Authenticated is already setup there for our RAPs)
The other way, would be creating a AAA profile on the switch itself and applying that to the ports.
When I go in the GUI on the switch Configuration > Authentication
It gets stuck saying Please Wait..., can you direct me to a CLI way of creating this profile on the switch?
aaa profile <name>
interface-group gigabitethernet "ACCESS-PORTS"
no trusted port
Yes you could tunnel the traffic to the controller but the easier solution assuming all you want to know is where a device is plugged in, what it's IP is, etc, would be to use the following:
!aaa profile "SIMPLE-AUTH" initial-role "authenticated"!interface-group gigabitethernet "ACCESS-PORTS" apply-to 0/0/0-0/0/23 aaa-profile "SIMPLE-AUTH" no trusted port!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.