currently have a customer using radius authentication on the wireless and user-id on the PA. The problem is when two different users use the same machine. Teacher logs in and gets a policy applied to the session going through the firewall and she logs out and a student logs in to the same machine, that student has the same privileges through the PA as the teacher did. It seems like the PA is not releasing the session and applying the correct policy to the new user. Any ideas?
setup is HA-3020's and Aruba wireless. Radius auth is against microsoft 2012 server
Solved! Go to Solution.
Do you see the (student) user name in the traffic logs when it hits the policy that you have created for teacher ?
If not, please verify if the ip-user-mapping changes for that IP address after teacher logs out and student logs in.
You can check the ip-user-mapping for an IP using the following command:
show user ip-user-mapping ip <ip/netmask>
Actually this should not happen, because when user logs out, it creates a security log on AD server. Firewall reads it and remove the mapping. We should try to find out why its not happenning.
However, there are two solution for this.
1. Reduce Timeout interval for user-id to ip mapping. - Which means older mappings will expire if there is no activity from them.
2. Or enable WMI probing - User-id agent queries all active users, if they dont respond. Its removed.
ok so some more info
This is only happening on wireless users....wired works fine. we are not seeing a user/ip mapping for the wireless users...the source user is blank
Is there some new feature in 6.0 to help with this?
Source user field is blank due to the username not being pushed correctly, how are you pushing the usernames from the Aruba wireless ? Are you using XML API ?
There are multiple methods to push user ip mappings:
--Using a syslog parser profile:
--Using XML API:
Hope it helps !
ok so this customer does not have clear pass so I am assuming the xml api solution wont work...as far as the syslog solution, I am trying to set this up in my lab. I have a aruba controller, pa200, and 2008 server. Do I run the syslog server on the same server as the user-id agent is on or do these need to be separate boxes? I am running kiwi syslog server on the same 2008 server as the UID agent is on...think I said that already :smileyhappy:
The document keeps referring to a "syslog sender" and I am not sure if that is the controller, the PA, or the 2008 server.
Syslog sender should be aruba controller which should be sending login/logout events to pa200. On pa200 you should have syslog parser profile to parse these logs and extract the User to IP information.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!