# config term
# logging level debugging security process authmgr
# write mem
Then perform an XML query as a test from xml-server. When we have 3 or 4 times failure, we could check
“show log security all | include authmgr”
Example:
(Aruba) #show log security all | include authmgr
Sep 23 16:23:56 :124032: <WARN> |authmgr| XML command=user_add (0) result='Error', error='unknown external agent'
Sep 23 16:24:28 :124032: <WARN> |authmgr| XML command=user_add (0) result='Error', error='unknown external agent'
Sep 23 16:29:09 :124032: <WARN> |authmgr| XML command=user_add (0) result='Error', error='unknown external agent'
Sep 23 16:43:28 :124230: <DBUG> |authmgr| Rx message 14001/5221, length 219 from 127.0.0.1:8220
Sep 23 16:44:17 :124230: <DBUG> |authmgr| Rx message 1003/5, length 1016 from 127.0.0.1:8407
Sep 23 17:00:24 :124004: <DBUG> |authmgr| RX (sock) message of type 50, len 1172
Sep 23 17:00:24 :124030: <INFO> |authmgr| Received XML API cmd=user_add, agent=11.10.10.1 IP=172.16.0.254
Sep 23 17:00:24 :124004: <DBUG> |authmgr| IP=172.16.0.254, MAC=00:13:ce:eb:5b:c8, name='Aruba123'
Sep 23 17:00:24 :124004: <DBUG> |authmgr| role='authenticated', tout=30, vers='1.0'
Sep 23 17:00:24 :124004: <DBUG> |authmgr| auth='MD5', key(32)='b379885e1e8d8554c01627b20af76f15'
Sep 23 17:00:24 :124032: <WARN> |authmgr| XML command=user_add (0) result='Error', error='unknown external agent'
Sep 23 17:08:13 :124004: <DBUG> |authmgr| RX (sock) message of type 50, len 1172
Sep 23 17:08:13 :124030: <INFO> |authmgr| Received XML API cmd=user_add, agent=11.10.10.1 IP=172.16.0.254
Sep 23 17:08:13 :124004: <DBUG> |authmgr| IP=172.16.0.254, MAC=00:13:ce:eb:5b:c8, name='Aruba123'
Sep 23 17:08:13 :124004: <DBUG> |authmgr| role='authenticated', tout=30, vers='1.0'
Sep 23 17:08:13 :124004: <DBUG> |authmgr| auth='cleartext', key(7)='netcity'
Sep 23 17:08:13 :124032: <WARN> |authmgr| XML command=user_add (0) result='Error', error='unknown external agent'
This issue is resolved by mapping the XML API Server to the default AAA profile "default-xml-api" even though we may see this profile is not mapped to the Virtual AP Profile (VAP) under question. Note that this configuration is required in addition to the AAA Profile configured for the VAP i.e the required sample configuration is as follow:
aaa xml-api server "11.10.10.1"
key "aruba@xml123"
aaa profile "aaa-remote-xml2"
initial-role "aruba-xml-role"
authentication-dot1x "default"
dot1x-server-group "radius-server"
radius-accounting "radius-server"
xml-api-server "11.10.10.1"
aaa profile default-xml-api xml-api-server 11.10.10.1 <<<<<<<<<<<<<<<<<<<<
The "default-xml-api" is a special fallback AAA profile and it is needed for sending the XML-API command without Mac address in the content. Generally, XML-API relies on the "mac-address" to identify the client and its aaa profile. If the mac-address's aaa profile does NOT have XML-API-server, it ends up as unknown external agent. Also, if there is no mac-address within the XML-API and this "default-xml-api" aaa profile is empty, it also returns "unknown external agent".