Wireless Access

Reply
Frequent Contributor I

Mobility Master not showing username with dot1X auth

We have a setup like this

 

1 x Mobility Master 

2 x Managed Device

1x Clearpass 

1 x Palo Alto FW

 

Version 8.2.2.1 (upgraded now - problem was there also with 8.2.1.1)

 

We need to get user name to Palo Alto for controlling access, but - only some users show up on Mobility Master with user names,some only show IP and status authenticated. 

 

(X-Aruba-MM) *[mynode] #show global-user-table list

Global Users
------------
IP MAC Name Current switch Role Auth AP name
---------- ------------ ------ -------------- ---- ---- -------
10.208.X.129 60:30:d4:77:xx:xx 10.8X.XX.14 authenticated XX-Kl2
10.198.X.95 44:91:60:4c:xx:xx 03samxxx 10.8X.XX.14 authenticated 802.1x XX R405


(X-WLAN2) [MDC] *#show user-table | include 10.198.X.95
10.198.X.95 44:91:60:4c:xx:xx 03samxxx authenticated 00:00:00 802.1x XXX R405

(X-WLAN2) [MDC] *#show user-table | include 10.208.X.129
10.208.X.129 60:30:d4:77:xx:xx 05jonxxx authenticated 00:00:07 802.1x XXX-Kl2

 

 

When we do show-global-user list on Mobility Master some clients are good with authentication 802.1x and username, whereas others show as authenticated and IP only.

 

when we do a show user-table from the MD - it shows all the correct information (see pasted text above) . 

So as far as I can tell, clearpass sends correct information, each MD receives both authentication type and IP and user name, but the Mobility Master only display some of these. 

 

We see no common factors between the ones that don't work. 

 

clients with missing information come from both controllers, and both controllers also send correct information for some clients, all clients are OK on each MD, but not in MM. 

there's no firewall between MD and MM. 

 

any hints? 

Highlighted
Super Contributor II

Re: Mobility Master not showing username with dot1X auth

Hi!

 

Do you really need the user-entries correctly populated in the MM for the palo alto integration to work? You should be able to leverage what you have in Clearpass and the MDs to provide your palo alto firewall with the correct information about your users, right?

 

(not saying it´s ok for the MM to display incorrect info, just saying in your case perhaps it doesn´t matter)

 

Cheers,

Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: