Mobility Master not showing username with dot1X auth
11-02-2018 04:14 AM
We have a setup like this
1 x Mobility Master
2 x Managed Device
1 x Palo Alto FW
Version 220.127.116.11 (upgraded now - problem was there also with 18.104.22.168)
We need to get user name to Palo Alto for controlling access, but - only some users show up on Mobility Master with user names,some only show IP and status authenticated.
(X-Aruba-MM) *[mynode] #show global-user-table list
IP MAC Name Current switch Role Auth AP name
---------- ------------ ------ -------------- ---- ---- -------
10.208.X.129 60:30:d4:77:xx:xx 10.8X.XX.14 authenticated XX-Kl2
10.198.X.95 44:91:60:4c:xx:xx 03samxxx 10.8X.XX.14 authenticated 802.1x XX R405
(X-WLAN2) [MDC] *#show user-table | include 10.198.X.95
10.198.X.95 44:91:60:4c:xx:xx 03samxxx authenticated 00:00:00 802.1x XXX R405
(X-WLAN2) [MDC] *#show user-table | include 10.208.X.129
10.208.X.129 60:30:d4:77:xx:xx 05jonxxx authenticated 00:00:07 802.1x XXX-Kl2
When we do show-global-user list on Mobility Master some clients are good with authentication 802.1x and username, whereas others show as authenticated and IP only.
when we do a show user-table from the MD - it shows all the correct information (see pasted text above) .
So as far as I can tell, clearpass sends correct information, each MD receives both authentication type and IP and user name, but the Mobility Master only display some of these.
We see no common factors between the ones that don't work.
clients with missing information come from both controllers, and both controllers also send correct information for some clients, all clients are OK on each MD, but not in MM.
there's no firewall between MD and MM.
Re: Mobility Master not showing username with dot1X auth
11-02-2018 05:11 AM
Do you really need the user-entries correctly populated in the MM for the palo alto integration to work? You should be able to leverage what you have in Clearpass and the MDs to provide your palo alto firewall with the correct information about your users, right?
(not saying it´s ok for the MM to display incorrect info, just saying in your case perhaps it doesn´t matter)
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306