Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

list Table of Contents
file_download PDF
keyboard_arrow_right

Troubleshooting Central Web Authentication

date_range 02-Aug-23

This topic describes how you get detailed diagnostic information by enabling tracing of authentication operations on the EX Series switch.

Aruba ClearPass Policy Manager provides additional detailed diagnostic information. See your Aruba ClearPass documentation for more information.

Troubleshooting Using Trace Options

You can enable trace options for the 802.1X protocol. The following set of commands enable the writing of trace logs to a file named dot1x:

content_copy zoom_out_map
user@Policy-EX4300-01# set protocols dot1x traceoptions file dot1x
user@Policy-EX4300-01# set protocols dot1x traceoptions file size 5m
user@Policy-EX4300-01# set protocols dot1x traceoptions flag all

Use the show log CLI command to display the contents of the trace log file. For example:

content_copy zoom_out_map
user@Policy-EX4300-01> show log dot1x
user@Policy-EX4300-01> show log dot1x | last 10 | refresh

You can also display the contents of the trace log file from the UNIX-level shell. For example:

content_copy zoom_out_map
user@Policy-EX4300-01> start shell 
user@Policy-EX4300-01:RE:0% tail -f /var/log/dot1x 

Troubleshooting the JNPR_RSVD_FILTER_CWA Firewall Filter

The JNPR_RSVD_FILTER_CWA firewall filter is dynamically installed in the Packet Forwarding Engine (PFE). Because it is not configured through the Junos CLI, you cannot view the filter terms using the CLI.

You can use the Junos OS vty shell command to connect to the PFE to obtain more information about the JNPR_RSVD_FILTER_CWA filter. In the examples below, the vty command is used to see detailed information about the filter JNPR_RSVD_FILTER_CWA that is installed as part of the MAC RADIUS authentication process.

Note:

The vty command is hidden command and is not supported by JTAC. Because vty commands are undocumented and their use can cause network disruption or operational issues, using vty is not generally recommended.

  1. Start vty.

    content_copy zoom_out_map
    user@Policy-EX4300-01> start shell 
    user@Policy-EX4300-01:RE:0% vty fpc0
    
  2. Use the show filter command to determine the index number of the filter on ge-0/0/22.

    content_copy zoom_out_map
    (vty)# sh filter   
    Program Filters:
    ---------------
       Index     Dir     Cnt    Text     Bss  Name
    --------  ------  ------  ------  ------  --------
    
    Term Filters:
    ------------
       Index    Semantic    Name
    --------  ----------------
           1  Classic   Client_Policy
           2  Classic   guest_access_policy_1
           3  Classic   test_cwa_ISE
           4  Classic   IPPhone_mac_auth_policy1
           5  Classic   IPPhone_mac_auth_policy_1
       17000  Classic   __default_arp_policer__
       57006  Classic   __jdhcpd__
       57007  Classic   __dhcpv6__
       57008  Classic   __cfm_filter_shared_lc__
       65008  Classic   __jdhcpd_l2_snoop_filter__
    12582912  Classic   dot1x_ge-0/0/6
    12582913  Classic   dot1x_ge-0/0/8
    12582914  Classic   dot1x_ge-0/0/22
    46137360  Classic   pfe-cos-cl-553-5-1
    46137361  Classic   pfe-cos-cl-554-5-1
    46137362  Classic   pfe-cos-cl-555-5-1
    
  3. Display the counters associated with the filter.

    content_copy zoom_out_map
    (vty)# sh filter index 12582914 counters    
    Filter Counters/Policers:
       Index          Packets                 Bytes  Name
    --------  ---------------  --------------------  --------
    12582914                0                     0  CWA_arp_0050569b037f
    12582914                0                     0  CWA_destip_0050569b037f
    12582914                0                     0  CWA_dhcp_0050569b037f
    12582914                0                     0  CWA_https_0050569b037f
    12582914                0                     0  CWA_t_dns_0050569b037f
    12582914                0                     0  CWA_u_dns_0050569b037f
    12582914                0                     0  dot1x_ge-0/0/22_CWA_http_0050569b037f
    
  4. Display the terms of the filter.

    content_copy zoom_out_map
    (vty)# sh filter index 12582914 program
    Filter index = 12582914
    Optimization flag: 0x0
    Filter notify host id = 0
    Filter properties: None
    Filter state = CONSISTENT
    term CWA_destip_0050569b037f
    term priority 0
        smac  
            0.80.86.155.3.127/48
        ip-destination-address  
            10.105.5.153/32
    
        then
            accept
            count CWA_destip_0050569b037f
    term CWA_t_dns_0050569b037f
    term priority 0
        smac  
            0.80.86.155.3.127/48
        ip-protocol  
             6 
        destination-port  
             53 
    
        then
            accept
            count CWA_t_dns_0050569b037f
    term CWA_u_dns_0050569b037f
    term priority 0
        smac  
            0.80.86.155.3.127/48
        ip-protocol 
external-footer-nav