Controllerless Networks

Occasional Contributor I

Best Practice to do Client Forensic in Guest-WLAN

Hi all,


I am searching for best practice recommendations when doing forensic for guest clients which authenticated via selfregistration on the web based Aruba Guest Portal.

I would like to be able to track from given information (e.g accessed public IP address within a time range) to the guest account with which the client did authenticate at the guest portal. My guests can register themselve, using a mobile phone number.


As long as the client is still connected to the network, I can track back quite easy. I am able to find out the used guest account and also the APs to which it is / was connected just by using the Aruba Central UI.


But I was yet unable to find a way when the client has already disconnected from the network, e.g. I do the forensic several days later.

Due to the used setup, the guest WLAN is directly connected to a firewall which is also administrated by myself. My local APs are grouped together using an Virtual Controller. Therefore, using the firewall logs I am able to find out the internal IP address and the MAC address of the offending client. But where is the information stored to map from there to a selfregistered guest account? 

I have already started to collect syslog messages from the APs, but there is no log entry when the client has sucessfully authenticated. I only see here MAC addresses, no IP addressen.

Even if I would periodically collect the output of "show clients" on the VC, I would not be able to see which guest account was used for authenticating at the Aruba web based guest portal.


What am I missing? Or is this just not possible?


Thanks for your help,


Search Airheads
Showing results for 
Search instead for 
Did you mean: