Wireless Access

Hello,

AOS 8.10.0.5
Cluster of 10 gateways
Conductor, and standby Conductor

Although I am using the API this is really a question about the data that is accessible on the controllers.

We want to get an idea of how many dot1x clients are using WPA3 or WPA2 now that we have turned WPA3 on on eduroam (in transition mode). I wrote a script that parses the output of "show dot1x supplicant-info list-all" on each cluster member and gives us a count of WPA2/WPA3 clients, That's useful but actually we broadcast a few other dot1x SSIDs, so to get some nice accurate numbers I really want to pin down which SSID a dot1x client listed in the supplicant table is connected to.

I thought the simplest way to do that would be to take the client MAC from the dot1x output and then run "show user-table mac <mac>", which tells you the essid. But this raises some questions because sometimes there will be more than one entry in the user-table. I guess ultimately what I'm trying to establish is is there a 1to1 relationship between the dot1x client entry and one of those user-table entries (eg perhaps the most recent according to the Age column?). So given a dot1x client entry does that relate to a single, specific user-table entry for that MAC address (if there are more than one entries for that MAC in the user-table)?

More generally it would be useful to know how and why an entry ends up in the user-table. And whether it is possible for a client to have more than one entry in the dot1x supplicant-info table for the same MAC address.

I hope that makes sense.

Am open to ideas for better ways to get this data (Airwave would be one but unfortunately it currently misreports the WPA2/3 spec for some clients, we have a TAC case open for that), or if there is a better source of the info than either the dot1x supplicant-info output or usertable.



Thanks,
Guy

A client will have one user table entry per IP address it uses. Notably with IPv6, clients will have multiple IP addresses and multiple entries in the user table as well. A dual stack client will also have on IPv4 address. And sometimes when clients are roaming from another network they might use that IP for some time and it may end up in the user-table. Check the validuser documentation on how to ignore those IPs that are outside of your own IP space.

I would not expect more than one entries per MAC address in the dot1x supplicant-info table as that is a L2 (or even below L2) thing.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 26, 2023 12:12 PM
From: cauliflower
Subject: Gathering data about dot1x clients using API

Hello,

AOS 8.10.0.5
Cluster of 10 gateways
Conductor, and standby Conductor

Although I am using the API this is really a question about the data that is accessible on the controllers.

We want to get an idea of how many dot1x clients are using WPA3 or WPA2 now that we have turned WPA3 on on eduroam (in transition mode). I wrote a script that parses the output of "show dot1x supplicant-info list-all" on each cluster member and gives us a count of WPA2/WPA3 clients, That's useful but actually we broadcast a few other dot1x SSIDs, so to get some nice accurate numbers I really want to pin down which SSID a dot1x client listed in the supplicant table is connected to.

I thought the simplest way to do that would be to take the client MAC from the dot1x output and then run "show user-table mac <mac>", which tells you the essid. But this raises some questions because sometimes there will be more than one entry in the user-table. I guess ultimately what I'm trying to establish is is there a 1to1 relationship between the dot1x client entry and one of those user-table entries (eg perhaps the most recent according to the Age column?). So given a dot1x client entry does that relate to a single, specific user-table entry for that MAC address (if there are more than one entries for that MAC in the user-table)?

More generally it would be useful to know how and why an entry ends up in the user-table. And whether it is possible for a client to have more than one entry in the dot1x supplicant-info table for the same MAC address.

I hope that makes sense.

Am open to ideas for better ways to get this data (Airwave would be one but unfortunately it currently misreports the WPA2/3 spec for some clients, we have a TAC case open for that), or if there is a better source of the info than either the dot1x supplicant-info output or usertable.



Thanks,
Guy

Thanks Herman,

In our environment we have eduroam, but also other dot1x SSIDs in various places (due to the federated nature of the university), so my worry is that I will find a MAC address in the dot1x supplicant table and then incorrectly identify which SSID that client is on because I will parse the wrong entry in the user-table (if they happen to have more than one).

Actually I just looked and maybe I would be better off using "show user mac <mac> | inc Essid", that seems to give a single entry with a definitive answer. (Instead of "show user-table mac..."). That could be the way to go.

Guy
Original Message:
Sent: Jan 27, 2023 08:26 AM
From: Herman Robers
Subject: Gathering data about dot1x clients using API

A client will have one user table entry per IP address it uses. Notably with IPv6, clients will have multiple IP addresses and multiple entries in the user table as well. A dual stack client will also have on IPv4 address. And sometimes when clients are roaming from another network they might use that IP for some time and it may end up in the user-table. Check the validuser documentation on how to ignore those IPs that are outside of your own IP space.

I would not expect more than one entries per MAC address in the dot1x supplicant-info table as that is a L2 (or even below L2) thing.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 26, 2023 12:12 PM
From: cauliflower
Subject: Gathering data about dot1x clients using API

Hello,

AOS 8.10.0.5
Cluster of 10 gateways
Conductor, and standby Conductor

Although I am using the API this is really a question about the data that is accessible on the controllers.

We want to get an idea of how many dot1x clients are using WPA3 or WPA2 now that we have turned WPA3 on on eduroam (in transition mode). I wrote a script that parses the output of "show dot1x supplicant-info list-all" on each cluster member and gives us a count of WPA2/WPA3 clients, That's useful but actually we broadcast a few other dot1x SSIDs, so to get some nice accurate numbers I really want to pin down which SSID a dot1x client listed in the supplicant table is connected to.

I thought the simplest way to do that would be to take the client MAC from the dot1x output and then run "show user-table mac <mac>", which tells you the essid. But this raises some questions because sometimes there will be more than one entry in the user-table. I guess ultimately what I'm trying to establish is is there a 1to1 relationship between the dot1x client entry and one of those user-table entries (eg perhaps the most recent according to the Age column?). So given a dot1x client entry does that relate to a single, specific user-table entry for that MAC address (if there are more than one entries for that MAC in the user-table)?

More generally it would be useful to know how and why an entry ends up in the user-table. And whether it is possible for a client to have more than one entry in the dot1x supplicant-info table for the same MAC address.

I hope that makes sense.

Am open to ideas for better ways to get this data (Airwave would be one but unfortunately it currently misreports the WPA2/3 spec for some clients, we have a TAC case open for that), or if there is a better source of the info than either the dot1x supplicant-info output or usertable.



Thanks,
Guy