Wireless Access

Reply
Regular Contributor I

AOS8.4 client stuck in denyall role

Hi,

 

I am configuring AOS8.4 on a test system before we migrate from 6.5. I have an AP running and broadcasting a dot1x SSID. When a client connects to the SSID I can see on the RADIUS server that authentication is successful (ACCEPT), but the client never moves from the initial denyall role into the 802.1x Authentication Default Role.

 

It's more than likely that when I ported the config across from the 6.5 system I have managed to miss something, but tracking down what that is is proving difficult.

 

It would be helpful to know in detail how this should be working - eg at exactly what point should the role change? As soon as the client authenticates? After the client has authenticated *and* got an IP address? (At the moment the client does not get an IP, though the controller appears to be assigning it the right VLAN, and L2 connectivity for that VLAN appears to be fine).

 

# show aaa debug role user mac b4:9c:df:2c:f8:dd


Role Derivation History
=======================
0: l2 role->logon, mac user created
1: l2 role->denyall, Set AAA profile defaults

 

MAC Name Role Age(d:h:m) Auth AP name Essid Phy Remote Profile User Type
------------ ------ ---- ---------- ---- ------- ----- --- ------ ------- ---------
84:10:0d:f3:71:04 denyall 00:00:00 No c8:b5:ad:c6:d3:f0 testing g-HT No test_aaa WIRELESS

 

STA Table
---------
bssid auth assoc aid l-int essid vlan-id tunnel-id
----- ---- ----- --- ----- ----- ------- ---------
c8:b5:ad:ed:3f:00 y y 1 1 testing 1344 0x10010
State Hash Table
----------------
bssid state reason
----- ----- ------
c8:b5:ad:ed:3f:00 auth-assoc 0

 

 

 #show aaa state station 84:10:0d:f3:71:04

Association count = 1, User count = 0

essid: testing, bssid: c8:b5:ad:ed:3f:00 AP name/group: c8:b5:ad:c6:d3:f0/test_aps PHY: g, ingress=0x10010 (tunnel 16)
vlan default: 1344, current: 1344 vlan-how: 0
name: , role: denyall (default:denyall, cached:n/a, dot1x:n/a), role-how: 1, acl:101/0, age: 00:00:00
Authentication: No, status: not started, method: 4[802.1x], protocol: , server:
dot1xctx:1 sap:1
Flags: mba=0
AAA prof: eduroam_aaa, Auth dot1x prof: default, AAA mac prof: , def role: denyall
ncfg flags udr 0, mac 0, dot1x 1, RADIUS interim accounting 1
Born: 1558108472 (Fri May 17 16:54:32 2019
)

 

This line: "role: denyall (default:denyall, cached:n/a, dot1x:n/a)" suggests there's no default dot1x role, but there is defintely one configured... unless this is to do with hierarchy and it being configured in the wrong place...

 

If anyone could help explain this it would be very useful, and some good troubleshooting commands to debug it would be great too.

 

Thanks

 

MVP Guru

Re: AOS8.4 client stuck in denyall role

Are you returning a user-role from the RADIUS server ? or are you trying to do a UDR ?

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor I

Re: AOS8.4 client stuck in denyall role

We're not doing anything fancy at all - no attributes returned from server, no derived VLAN, the VLAN is just configured in the VAP

Highlighted
MVP Guru

Re: AOS8.4 client stuck in denyall role

In that case you need to assign the “authenticated” role as the Default 802.1X Role

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor I

Re: AOS8.4 client stuck in denyall role

Ok thanks - I'll check this tomorrow in the office

Regular Contributor I

Re: AOS8.4 client stuck in denyall role

Hello Victor,

 

Thanks for your help so far. Looking at our existing 6.5 config (that I am porting over) we don't use the authenticated role, the aaa profile looks like this:

 

Initial role denyall
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile default
802.1X Authentication Default Role eduroam-open_role
802.1X Authentication Server Group lapwing_srvgrp
Download Role from CPPM Disabled
Set username from dhcp option 12 Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group lapwing_srvgrp
RADIUS Roaming Accounting Disabled
RADIUS Interim Accounting Enabled
RADIUS Acct-Session-Id In Access-Request Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
Reauthenticate wired user on VLAN change Disabled
Device Type Classification Enabled
Enforce DHCP Enabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled
Apply ageout mechanism on bridge mode wireless clients Disabled

 

So this is also what I have on the AOS8 set-up. eduroam-open_role exists on the cluster member when I look in the config.

 

It seems like client authentication is working (according to the RADIUS logs on our external server) but that the MD isn't aware of that (if I'm interpreting this correctly), from the 'show aaa state station...' output:

 

Authentication: No, status: not started, method: 4[802.1x], protocol: , server:
dot1xctx:1 sap:1

 

Would you agree? Or is this a red herring? The client doesn't appear on VLAN 1344 although the VLAN *is* shown in the STA table (would it show in this table before a client had authenticated?).

 

On our existing 6.5 system my client device looks like this (show aaa state station...):

 

...

Authentication: Yes, status: started, method: 4[802.1x]...

...

Guru Elite

Re: AOS8.4 client stuck in denyall role

You should get the output of "show auth-tracebuf mac <client mac address" to see the client/ radius server interaction.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Regular Contributor I

Re: AOS8.4 client stuck in denyall role

Thanks - useful command. On the 6.5 system the output is:

 

May 20 10:51:46 station-up * 84:10:0d:f3:71:04 c8:b5:ad:5e:02:c1 - - wpa2 aes
May 20 10:51:46 wpa2-key1 <- 84:10:0d:f3:71:04 c8:b5:ad:5e:02:c1 - 117
May 20 10:51:47 wpa2-key2 -> 84:10:0d:f3:71:04 c8:b5:ad:5e:02:c1 - 135
May 20 10:51:47 wpa2-key3 <- 84:10:0d:f3:71:04 c8:b5:ad:5e:02:c1 - 159
May 20 10:51:47 wpa2-key4 -> 84:10:0d:f3:71:04 c8:b5:ad:5e:02:c1 - 95

 

On AOS 8 I get a whole bunch of output, some eap-req/resp:

 

May 20 09:58:45 eap-resp -> 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 2 110
May 20 09:58:45 rad-req -> 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00/radius0-lapwing_radius 20 319 131.x.x.x
May 20 09:58:45 rad-resp <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00/radius0-lapwing_radius 20 1068
May 20 09:58:45 eap-req <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 3 1004
May 20 09:58:45 eap-resp -> 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 3 6
May 20 09:58:45 rad-req -> 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00/radius0-lapwing_radius 21 215 131.x.x.x
May 20 09:58:45 rad-resp <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00/radius0-lapwing_radius 21 1064
May 20 09:58:45 eap-req <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 4 1000
May 20 09:58:45 eap-resp -> 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 4 6

 

then some dot1x-timeouts:

 

May 20 09:58:50 dot1x-timeout * 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 12 3 server timeout
May 20 09:58:50 dot1x-timeout * 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 13 2 station timeout
May 20 09:58:50 eap-id-req <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 13 5
May 20 09:58:55 eap-id-req <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 13 5
May 20 09:59:00 dot1x-timeout * 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 13 1 station timeout
May 20 09:59:00 eap-id-req <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 14 5
May 20 09:59:05 eap-id-req <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 14 5
May 20 09:59:10 eap-id-req <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 14 5
May 20 09:59:15 dot1x-timeout * 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 14 1 station timeout
May 20 09:59:15 eap-id-req <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 15 5
May 20 09:59:20 eap-id-req <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 15 5
May 20 09:59:25 eap-id-req <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 15 5
May 20 09:59:30 dot1x-timeout * 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 15 1 station timeout
May 20 09:59:30 eap-id-req <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 16 5
May 20 09:59:32 eap-start -> 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 - -
May 20 09:59:32 eap-id-req <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 16 5
May 20 09:59:32 eap-id-resp -> 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 16 15 @x.x.uk
May 20 09:59:32 rad-req -> 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 31 206 131.x.x.x
May 20 09:59:32 eap-id-resp -> 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 16 15 @x.x.uk
May 20 09:59:32 rad-resp <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00/radius0-lapwing_radius 31 64
May 20 09:59:32 eap-req <- 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 17 6
May 20 09:59:32 eap-resp -> 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 17 142

 

I'm not sure what this is telling me, other than timeout doesn't sound good!

 

show aaa authentication server rad stat gives (sorry, probably impossible to read in this format):

 

RADIUS Server Statistics
------------------------
Server Acct Rq Raw Rq PAP Rq CHAP Rq MSCHAP Rq MSCHAPv2 Rq Mismatch Rsp Bad Auth Acc Rej Acct Rsp Chal Ukn Rsp Tmout AvgRspTm Tot Rq Tot Rsp Rd Err Outstanding Auths Outstanding Requests Acc-RTTS Rq Acc-RTTS Rsp ExpAuthTm Uptime SEQ
------ ------- ------ ------ ------- --------- ----------- ------------ -------- --- --- -------- ---- ------- ----- -------- ------ ------- ------ ----------------- -------------------- ----------- ------------ --------- ------ ---
NMG0-RADIUS 0 0 1134 0 0 0 0 0 0 1134 0 0 0 0 1001 1134 1134 0 0 0 0 0 1001 3:23:7 255/255
NMG1-RADIUS 0 0 1151 0 0 0 0 0 17 1134 0 0 0 0 986 1151 1151 0 0 0 0 0 813 3:23:7 255/255
radius0-lapwing_radius 0 2210 0 0 0 1 0 0 179 1 0 1829 0 811 9 2211 2009 0 1 0 0 0 1002 3:18:39 255/255
radius1-lapwing_radius 0 2524 0 0 0 1 0 0 202 1 0 2134 0 752 8 2525 2337 0 2 0 0 0 1001 3:18:37 255/255

 

The servers dealing with clients are radius0 and radius1.

 

 

MVP Guru

Re: AOS8.4 client stuck in denyall role

The RADIUS Server Stats output is a little hard to decipher. I'd check why the RADIUS is timing out in the first place as this will affect all clients.

 

May 20 09:58:50 dot1x-timeout * 84:10:0d:f3:71:04 c8:b5:ad:ed:3f:00 12 3 server timeout

Do you see any log entries (show log all | include timeout) for the server in question. What do you see on the RADIUS side of the conversation? 


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Regular Contributor I

Re: AOS8.4 client stuck in denyall role

Hello, thanks for responding so quickly.

 

The RADIUS end looks fine - the authentication completes and it sends an ACCEPT.

 

There are quite a lot of entries in the log that include 'timeout', but it's just these three messages repeated:

 

May 20 12:20:19 authmgr[3711]: <522050> <5129> <INFO> |authmgr| MAC=84:10:0d:f3:71:04,IP=N/A User data downloaded to datapath, new Role=denyall/101, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
May 20 12:20:19 authmgr[3711]: <522246> <5129> <DBUG> |authmgr| Idle timeout should be driven by STM for MAC 84:10:0d:f3:71:04.
May 20 12:21:29 authmgr[3711]: <522234> <5129> <DBUG> |authmgr| Setting idle timer for user 84:10:0d:f3:71:04 to 300 seconds (idle timeout: 300 ageout: 0).

 

Again - sorry this output is grim to read, these are the logs (well, a section of) for my client MAC (I can send this as an attachment if easier):

 

May 20 13:41:05 authmgr[3711]: <522004> <5129> <DBUG> |authmgr| 13:41:05.136222 auth_send_supplicant_up_to_dot1x use mac 84:10:0d:f3:71:04 bssid c8:b5:ad:ed:3f:00 essid eduroam-testing msg mac 84:10:0d:f3:71:04 bssid c8:b5:ad:ed:3f:00 essid eduroam-testing
May 20 13:41:05 authmgr[3711]: <522004> <5129> <DBUG> |authmgr| ac_active_add_mac_to_bucket: station 84:10:0d:f3:71:04 in essid eduroam-testing (mac_user 0x2094aac) being added to bucket-map
May 20 13:41:05 authmgr[3711]: <522004> <5129> <DBUG> |authmgr| auth_cluster_add_active_mac: essid eduroam-testing b_num 134 mu_mac 84:10:0d:f3:71:04 macuser 0x2094aac
May 20 13:41:05 authmgr[3711]: <522004> <5129> <DBUG> |authmgr| auth_cluster_is_active_uac_or_disconnected: essid eduroam-testing b_num 134 mac 84:10:0d:f3:71:04
May 20 13:41:05 authmgr[3711]: <522004> <5129> <DBUG> |authmgr| auth_gsm_publish_channels: mac 84:10:0d:f3:71:04 publish_list 3 user VALID macuser VALID ipuser NULL
May 20 13:41:05 authmgr[3711]: <522004> <5129> <DBUG> |authmgr| handle_sta_up_dn: mac 84:10:0d:f3:71:04 macuser 00x2094aac essid eduroam-testing user->essid eduroam-testing repready 0 repkey -1
May 20 13:41:05 authmgr[3711]: <522035> <5129> <INFO> |authmgr| MAC=84:10:0d:f3:71:04 Station UP: BSSID=c8:b5:ad:ed:3f:00 ESSID=eduroam-testing VLAN=1344 AP-name=c8:b5:ad:c6:d3:f0 u-encr-alg=0x40 m-encr-alg=0x40 at 13:41:05.136222
May 20 13:41:05 authmgr[3711]: <522049> <5129> <INFO> |authmgr| MAC=84:10:0d:f3:71:04,IP=N/A User role updated, existing Role=logon/none, new Role=denyall/none, reason=Set AAA profile defaults
May 20 13:41:05 authmgr[3711]: <522050> <5129> <INFO> |authmgr| MAC=84:10:0d:f3:71:04,IP=N/A User data downloaded to datapath, new Role=denyall/101, bw Contract=0/0, reason=layer 2 event driven download, idle-timeout=300
May 20 13:41:05 authmgr[3711]: <522077> <5129> <DBUG> |authmgr| MAC=84:10:0d:f3:71:04 ingress 0x10010 (tunnel 16), u_encr 0x40, m_encr 0x40, slotport 0x2100 , type: local, FW mode: 0, AP IP: 172.30.225.7 mdie 0 ft_complete 0
May 20 13:41:05 authmgr[3711]: <522127> <5129> <DBUG> |authmgr| {L2} Update role from logon to denyall for IP=N/A, MAC=84:10:0d:f3:71:04.
May 20 13:41:05 authmgr[3711]: <522142> <5129> <DBUG> |authmgr| Setting default role to denyall for user 84:10:0d:f3:71:04".
May 20 13:41:05 authmgr[3711]: <522158> <5129> <DBUG> |authmgr| Role Derivation for user N/A-84:10:0d:f3:71:04- N/A Set AAA profile defaults.
May 20 13:41:05 authmgr[3711]: <522242> <5129> <DBUG> |authmgr| MAC=84:10:0d:f3:71:04 Station Created Update MMS: BSSID=c8:b5:ad:ed:3f:00 ESSID=eduroam-testing VLAN=1344 AP-name=c8:b5:ad:c6:d3:f0
May 20 13:41:05 authmgr[3711]: <522246> <5129> <DBUG> |authmgr| Idle timeout should be driven by STM for MAC 84:10:0d:f3:71:04.
May 20 13:41:05 authmgr[3711]: <522254> <5129> <DBUG> |authmgr| VDR - mac 84:10:0d:f3:71:04 rolename denyall fwdmode 0 derivation_type Initial Role Contained vp not present.
May 20 13:41:05 authmgr[3711]: <522255> <5129> <DBUG> |authmgr| "VDR - set vlan in user for 84:10:0d:f3:71:04 vlan 1344 fwdmode 0 derivation_type Current VLAN updated.
May 20 13:41:05 authmgr[3711]: <522255> <5129> <DBUG> |authmgr| "VDR - set vlan in user for 84:10:0d:f3:71:04 vlan 1344 fwdmode 0 derivation_type Default VLAN.
May 20 13:41:05 authmgr[3711]: <522258> <5129> <DBUG> |authmgr| "VDR - Add to history of user user 84:10:0d:f3:71:04 vlan 0 derivation_type Reset Role Based VLANs index 3.
May 20 13:41:05 authmgr[3711]: <522258> <5129> <DBUG> |authmgr| "VDR - Add to history of user user 84:10:0d:f3:71:04 vlan 0 derivation_type Reset VLANs for Station up index 0.
May 20 13:41:05 authmgr[3711]: <522258> <5129> <DBUG> |authmgr| "VDR - Add to history of user user 84:10:0d:f3:71:04 vlan 1344 derivation_type Current VLAN updated index 2.
May 20 13:41:05 authmgr[3711]: <522258> <5129> <DBUG> |authmgr| "VDR - Add to history of user user 84:10:0d:f3:71:04 vlan 1344 derivation_type Default VLAN index 1.
May 20 13:41:05 authmgr[3711]: <522264> <5129> <DBUG> |authmgr| "MAC:84:10:0d:f3:71:04: Allocating UUID: 001a1e0580900000001f0236
May 20 13:41:05 authmgr[3711]: <522287> <5129> <DBUG> |authmgr| Auth GSM : MAC_USER publish for mac 84:10:0d:f3:71:04 bssid c8:b5:ad:ed:3f:00 vlan 1344 type 1 data-ready 0 HA-IP n.a
May 20 13:41:05 authmgr[3711]: <522295> <5129> <DBUG> |authmgr| Auth GSM : USER_STA event 0 for user 84:10:0d:f3:71:04
May 20 13:41:05 authmgr[3711]: <522301> <5129> <DBUG> |authmgr| Auth GSM : USER publish for uuid 001a1e0580900000001f0236 mac 84:10:0d:f3:71:04 name role denyall devtype wired 0 authtype 0 subtype 0 encrypt-type 10 conn-port 8448 fwd-mode 0 roam 0 repkey -1
May 20 13:41:05 authmgr[3711]: <522308> <5129> <DBUG> |authmgr| Device Type index derivation for 84:10:0d:f3:71:04 : dhcp (0,0,0) oui (0,0) ua (0,0,0) derived (0):
May 20 13:41:05 authmgr[3711]: <522344> <5129> <DBUG> |authmgr| handle_sta_up_dn (3854): rtts user=84:10:0d:f3:71:04 enabled=0 initial tput=50880
May 20 13:41:05 authmgr[3711]: <524124> <5129> <DBUG> |authmgr| auth_dot1x_supplicant_up(): MAC:84:10:0d:f3:71:04, pmkid_present:False, pmkid:N/A
May 20 13:41:05 authmgr[3711]: <524141> <5129> <DBUG> |authmgr| clr_pmkcache_ft():832: MAC:84:10:0d:f3:71:04 BSS:c8:b5:ad:ed:3f:00
May 20 13:41:05 dot1x-proc:1[4380]: <522038> <4380> <NOTI> |dot1x-proc:1| username=@x.x.uk MAC=84:10:0d:f3:71:04 IP=0.0.0.0 Result=Successful method=802.1x server=radius1-lapwing_radius
May 20 13:41:05 dot1x-proc:1[4380]: <526124> <4380> <DBUG> |dot1x-proc:1| dot1x_supplicant_up(): MAC:84:10:0d:f3:71:04, pmkid_present:False, pmkid:N/A
May 20 13:41:05 stm[3152]: <501093> <NOTI> |AP c8:b5:ad:c6:d3:f0@x.x.x.x stm| Auth success: 84:10:0d:f3:71:04: AP x.x.x.x-c8:b5:ad:ed:3f:00-c8:b5:ad:c6:d3:f0
May 20 13:41:05 stm[3152]: <501095> <NOTI> |AP c8:b5:ad:c6:d3:f0@x.x.x.x stm| Assoc request @ 13:41:05.560666: 84:10:0d:f3:71:04 (SN 0): AP x.x.x.x-c8:b5:ad:ed:3f:00-c8:b5:ad:c6:d3:f0
May 20 13:41:05 stm[3152]: <501100> <NOTI> |AP c8:b5:ad:c6:d3:f0@x.x.x.x stm| Assoc success @ 13:41:05.567664: 84:10:0d:f3:71:04: AP x.x.x.x-c8:b5:ad:ed:3f:00-c8:b5:ad:c6:d3:f0
May 20 13:41:05 stm[3737]: <501065> <3737> <DBUG> |stm| a2c_sm_process_stalist: client (84:10:0d:f3:71:04) is 11k-enabled
May 20 13:41:05 stm[3737]: <501100> <3737> <NOTI> |stm| Assoc success @ 13:41:05.570406: 84:10:0d:f3:71:04: AP 172.30.225.7-c8:b5:ad:ed:3f:00-c8:b5:ad:c6:d3:f0
May 20 13:42:15 authmgr[3711]: <522004> <5129> <DBUG> |authmgr| 84:10:0d:f3:71:04: station datapath entry deleted
May 20 13:42:15 authmgr[3711]: <522004> <5129> <DBUG> |authmgr| ac_active_remove_mac_from_bucket: station 84:10:0d:f3:71:04 in essid eduroam-testing (mh_entry found True addr 0x2094aac) removed in bucket-map 134
May 20 13:42:15 authmgr[3711]: <522004> <5129> <DBUG> |authmgr| auth_cluster_del_active_mac essid eduroam-testing b_num 134 mu_mac 84:10:0d:f3:71:04 mac_user 0x2094aac cluster_enabled=1
May 20 13:42:15 authmgr[3711]: <522004> <5129> <DBUG> |authmgr| mac_station_free: Sta->essid eduroam-testing mu_mac 84:10:0d:f3:71:04 macuser 0x0x2094aac
May 20 13:42:15 authmgr[3711]: <522036> <5129> <INFO> |authmgr| MAC=84:10:0d:f3:71:04 Station DN: BSSID=c8:b5:ad:ed:3f:00 ESSID=eduroam-testing VLAN=1344 AP-name=c8:b5:ad:c6:d3:f0 reason=3 at 13:42:15.200059
May 20 13:42:15 authmgr[3711]: <522152> <5129> <DBUG> |authmgr| station free: bssid=c8:b5:ad:ed:3f:00, mac=84:10:0d:f3:71:04.
May 20 13:42:15 authmgr[3711]: <522234> <5129> <DBUG> |authmgr| Setting idle timer for user 84:10:0d:f3:71:04 to 300 seconds (idle timeout: 300 ageout: 0).
May 20 13:42:15 authmgr[3711]: <522244> <5129> <DBUG> |authmgr| MAC=84:10:0d:f3:71:04 Station Deleted Update MMS
May 20 13:42:15 authmgr[3711]: <522290> <5129> <DBUG> |authmgr| Auth GSM : MAC_USER delete for mac 84:10:0d:f3:71:04
May 20 13:42:15 authmgr[3711]: <522296> <5129> <DBUG> |authmgr| Auth GSM : USER_STA delete event for user 84:10:0d:f3:71:04 age 0 deauth_reason 3
May 20 13:42:15 authmgr[3711]: <522303> <5129> <DBUG> |authmgr| Auth GSM : USER delete for mac 84:10:0d:f3:71:04 uuid 001a1e0580900000001f0236
May 20 13:42:15 stm[3152]: <501000> <DBUG> |AP c8:b5:ad:c6:d3:f0@172.30.225.7 stm| Station 84:10:0d:f3:71:04: Clearing state
May 20 13:42:15 stm[3152]: <501105> <NOTI> |AP c8:b5:ad:c6:d3:f0@x.x.x.x stm| Deauth from sta: 84:10:0d:f3:71:04: AP x.x.x.x-c8:b5:ad:ed:3f:00-c8:b5:ad:c6:d3:f0 Reason STA has left and is deauthenticated
May 20 13:42:15 stm[3737]: <501000> <3737> <DBUG> |stm| Station 84:10:0d:f3:71:04: Clearing state

 

Does the following section suggest it does know the dot1x auth has been successful?:

 

Result=Successful method=802.1x server=radius1-lapwing_radius
May 20 13:41:05 dot1x-proc:1[4380]: <526124> <4380> <DBUG> |dot1x-proc:1| dot1x_supplicant_up(): MAC:84:10:0d:f3:71:04, pmkid_present:False, pmkid:N/A
May 20 13:41:05 stm[3152]: <501093> <NOTI> |AP c8:b5:ad:c6:d3:f0@x.x.x.x stm| Auth success: 84:10:0d:f3:71:04: AP x.x.x.x-c8:b5:ad:ed:3f:00-c8:b5:ad:c6:d3:f0

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: