Wireless Access

Is there a usefull command to debug association, and authentication?

The "sh user" gives me the authenticated users. But I like to debug when there is un unsuccessfull auth.

i make a new post here, maybe i've chace issue with the old one

--------------------------------------------------------------------------------------

Hi, with "show station-table" you can obtain usefoul information and you can check if you clients have pre-login role or they've pass the authentication.

to debug l2 auth/association issue you can use

#show ap association

and to check a specific client

#show ap client status e0:f8:47:f3:1e:53

They look look interessting commands but where can I find the meaning of the fields ??

(NWD2GA01) #show ap client status 78:d6:f0:ac:a8:91

STA Table
---------
bssid              auth  assoc  aid  l-int  essid    vlan-id  tunnel-id
-----              ----  -----  ---  -----  -----    -------  ---------
d8:c7:c8:82:fd:a2  y     y      5    10     Visitor  13       0x1198
State Hash Table
----------------
bssid              state       reason
-----              -----       ------
d8:c7:c8:82:fb:a2              3
d8:c7:c8:83:a4:a3              3
d8:c7:c8:83:48:61              3
d8:c7:c8:82:fd:a2  auth-assoc  0

(NWD2GA01) #show ap association

Flags: W: WMM client, A: Active, K: 802.11K client, B: Band Steerable

PHY Details: HT: High throughput; 20: 20MHz; 40: 40MHz
             <n>ss: <n> spatial streams

Association Table
-----------------
Name             bssid              mac                auth  assoc  aid  l-int  essid      vlan-id  tunnel-id  phy             assoc. time     num assoc  Flags
----             -----              ---                ----  -----  ---  -----  -----      -------  ---------  ---             -----------     ---------  -----
name   d8:c7:c8:82:fc:43  00:21:6a:50:99:7e  y     y      10   10     Corporate  201      0x11d8     g-HT-20sgi-3ss  20s             4          WA

The fields are described in the "ArubaOS Command Line Reference Guide" in the documentation section on the Aruba support site.  The "show ap client status" command is on page 617 (in the 6.1 guide) and "show ap association" is on page 603.

if you've issue on authentication and association you've to check this table

auth  assoc

if they're always "yes" refferring to your client mac address is not an association or authentication issue,

maybe the log can be usefoul because can be that due to inferference client have issue to authenticate and associate but after a while they can connect successfully.

the command i gave you is a snapshot of auth/ass situation, the log show you how often and how may times

The following command can be very useful too

(controller-6000) #show auth-tracebuf ?
count                   Show last count number of packets
failures                Show only failures
mac                     Filter on a specific STA or AP
|                       Output Modifiers
<cr>

Regards,

Sathya

Try this:

config t

logging level debug user

Then when the user associates try:

show log user all | include <mac address of device>

Are you trying to track down authentication failures for RADIUS Auth, MAC Auth, PSK Auth?

If you are trying to track down auth failtures for RADIUS or NPS, start with testing your RADIUS Client relationship using the AAA Test Server (either via the CLI or GUI).  If you have a time out, start by checking your psk between the two.  If you get response, failed or successful, go from there.

Move over to the CLI and change logging level of security to debug:

(config) # logging level debugging security process authmgr

(config) # logging level debugging security subcat aaa

Attempt to connect to your wireless from a device.  After the attempt, run the command show log security 50 and read through looking for something similar to:

--

Nov 20 20:14:16 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=802.1x, server=Aercorone, user=24:77:03:08:53:d0
Nov 20 20:14:16 :124004:  <DBUG> |authmgr|  Auth server 'Aercorone' response=0
--

The response in bold (in this case 0) will tell you what the server's response is.  In this case, 0 represents a success.  If a 1 is returned, it represents a username/password mismatch.  There are 6 different responses codes (see attached from the KB).

I have found that, when there is an error in the configuration of the Network Policy on the NPS (RADIUS) you can also receive response 1.  At this point, start looking at the NPS event logs for errors.

Hope that helps a bit

Attachment(s)

What are the various RADIUS response codes_.pdf   7 KB 1 version