Security

Hello,  This is probably more of a venting post than anything, perhaps I'm looking for a retort / ammo / suggestion to the snarky comments I keep hearing from a co-worker. History:  There is a single laptop in our 10s of thousands of laptops that won't connect to wifi to our enterprise wifi (802.1x).  The computer technician reimaged the machine twice, did some AD tweaks, etc but still can't get it to connect to our 802.1x wifi.  When they are attempting to connect to the 802.1x wifi I don't even seen the wifi mac associating at all to the wireless AP (but there are other 802.1x clients on the same wap).   The technician tried an open ssid that we have for testing and could connect the laptop to that successfully.  I asked if they could please try another wifi nic card as a test.  They did and were able to connect to our enterprise wifi just fine on that USB wifi nic test.  So I said sounds like a problem with the onboard wifi nic.  But the guy just doesn't want to let it go, saying well it connects to the open wifi fine, he's saying that he thoerizes somehow the wifi mac of the nonworking nic is somehow blocked on our controllers (Not true).  I should probably just let it go but it's bothering met that he keeps saying it's something on the wifi controller.  I don't believe it is, as mentioned I dont' even see the wifi mac associating at all on the controller when he tries to connect to the enterprise wifi when I issue this command, it doesn't show up at all.

(MMC-Primary) [mynode] #show global-user-table list mac-addr (enter mac here)

Any suggestions on how I can help him understand  / shut down his theory.  Guess I'm being stubborn in this case as I feel the controllers are not being fairly characterized.

Thank you

Which method are you using for authentication? EAP-PEAP, TLS?

eap-peap

Have you tried to configure the WiFi profile manually to avoid misconfiguration?

I believe they ordered a new motherboard that will have a new onboard nic, but i'll ask that question if it happens again. Thank you!

The client will not show up in the user table unless it successfully obtains an ip address.  One think you can try is to upgrade the driver on the laptop to the latest version.

If that doesn't work, you can enable debugging for that client:

(ArubaMM-VA) *[mynode] #cd /md

(ArubaMM-VA) *[md] #configure t

(ArubaMM-VA) *[md] (config) #logging user-debug <mac address>

(ArubaMM-VA) *[md] (config) #write mem

Wait about 60 seconds for the debug command to propagage (you can type "show switches" over and over again to monitor this

Try to associate the device to the SSID and allow it to fail.  Your challenge will be is that we do not know what controller the device will end up on, so just SSH into one of the MDs and type:

"show log user-debug all" and see if there is any traffic from that mac address.  If there is none, SSH into the next MD, type "show log user-debug all".

If you don't see any messages, keep going until you find an md with debug messages for your client.

Ah okay so what you're saying is that I can debug on the specific MD and possibly get more information than the global user table would summarize.   Thanks, didn't know that will give it a try next time.  I appreciate it.

Is there a recommended level for the logging of a user-debug?

I entered logging user-debug (wifi mac) and it gives me incomplete command.

Options are:
level

process

Subcat

What should i specify? Thank you

logging user-debug de:de:ad:be:ef:ca level debugging

After you do a write mem, SSH into the MD and type "show debug" to make sure debug is enabled for that client:

(aruba7005) [MDC] #show debug

DEBUG LEVELS
------------
Facility    Level      Debug Value        Sub Category  Process
--------    -----      -----------        ------------  -------
user-debug  debugging  de:ad:be:ef:ca:fe  N/A           N/A  

 Then you would type "show log user-debug 50" to look at the logs for that client.