Wireless Access

Hi 

 When I see show user , i get different user state  information even though the users are connected to same SSID  doinng .1x .

Authentication

   What is the different between this ( 8021x-User  and 802.1x  )  once I have this Anounou  users also connecting to CORP SSID ,

 Am realy confused Please help

Users
-----
    IP            MAC            Name                            Role           Age(d:h:m)  Auth           VPN link  AP name            Roaming   Essid/Bssid/Phy                  Profile       Forward mode  Type
----------   ------------       ------                           ----           ----------  ----           --------  -------            -------   ---------------                  -------       ------------  ----
10.208.2.15  d0:df:9a:0c:9c:bf  anounou                          authenticated  00:21:36    802.1x                   AAH_GF2_RAD_AP01   Wireless  CORP/d8:c7:c8:83:2e:c0/g-HT  CORP_AAA  tunnel        Win XP
10.208.3.12  74:de:2b:3b:0b:e3  comp\NRiju                        authenticated  00:01:16    802.1x                   AAH_1F2_ADMN_AP28  Wireless  CORP/d8:c7:c8:83:3b:c0/g-HT  CORP_AAA  tunnel        Win XP
10.208.4.11  1c:65:9d:84:70:2a  host/037066DHD284217.comp.org.qa  authenticated  07:18:37    8021x-Machine            AAH_1F1_LIFT_AP43  Wireless  CORP/d8:c7:c8:85:2d:00/g-HT  CORP_AAA  tunnel        Windows
10.208.4.13  00:24:d7:60:e7:8c  comp.ORG.QA
ramal                authenticated  00:01:20    802.1x                   AAH_GF1_CR_AP18    Wireless  CORP/d8:c7:c8:83:20:b0/a-HT  CORP_AAA  tunnel        Win XP
10.208.4.15  d0:df:9a:0f:ea:67  comp.ORG.QA\cghariani             authenticated  06:00:02    8021x-User               AAH_GF3_PHRM_AP21  Wireless  CORP/d8:c7:c8:87:63:20/g-HT  CORP_AAA  tunnel        Win XP
10.208.5.11  08:86:3b:66:29:dd  host/037065DHS313156.comp.org.qa  authenticated  00:01:14    8021x-Machine            AAH_GF2_RAD_AP01   Wireless  CORP/d8:c7:c8:83:2e:d0/a-HT  CORP_AAA  tunnel        Win XP
10.208.5.13  d0:df:9a:0c:9c:fc  comp\relwahab                     authenticated  00:01:09    802.1x                   AAH_GF2_RAD_AP03   Wireless  CORP/d8:c7:c8:83:30:80/g-HT  CORP_AAA  tunnel        Win XP
10.208.5.14  08:86:3b:70:0a:2f  rhussein1                         authenticated  05:15:24    802.1x                   AAH_GF2_RAD_AP01   Wireless  CORP/d8:c7:c8:83:2e:d0/a-HT  CORP_AAA  tunnel        Win XP

Can you advice why these uses are named in different  way ,

802.1x means that both user and machine auth has passed.

802.1x-User means that the user authetnication passed, but the controller did not see a valid machine auth within the machine auth cache timeout.

802.1x-Machine means that machine auth has passed, but a user has not yet logged in (notice the "host/" in front of the user name... that means the machine has logged into the WLAN).

Typically, the machine and user only roles would be more restrictive than the role assigned if both pass.  That way, a non-domain computer can't access all of the resources that a domain computer can.  You have to balance that, however, with your need to support non-Windows machines, since they either cant or at least are more difficult to join the domain.

Thanks Olino,

I have one more  question ,  customer have both  machine Auth and User Auth , so what I found is once the user log off from same Desktop and  relogin with another user , user status going to Machine Auth , but once after the sucesful User authernitcation  its still showing  Machine Autheticated on show user output on controller  , once we delete the user from  controller then its  show the proper user  which is authnticated on that PC ,

is there any Config need to be recheck ,

Thanks

BR

I am not sure why that would happen.  The controller should track the current status of the users.  When a user logs out, the controller should show the host name as the user record (host/<machine name>), assuming that machine is part of your domain.

Once the second user logs in, the controller should update the user record with the correct name.

Do the roles have a VLAN set?  Is it possible that you have BOTH the machine name and the user name in the user table?  Do "show user | inc <mac of the client>" and see if you see both.

Thanks for your prompt Replay

 You are right once the user logs out  the controller showing the user record   as this (host/<machine name>),  but when any other user logs in it is not changing the status  unless we do aaa user delete  mac  machine name

dont have any vlan set role ,

Show user  | inc <Mac > its shows only one entry ,

Really confused ....

:

Thanks

BR

That is strange.  I would turn on debugging (logging level debug user-debug <mac>) and watch to see what happens (the logs will be in "show log user-debug all").  Once you turn on debugging for that mac address, you will also see only that mac address in the "show auth-tracebuf" command.  It can be useful to figure out things like this as well.

If you don't see anything out of the ordinary there, open a TAC case and see if they can get to the bottom of it.