Troubleshooting Central Web Authentication
This topic describes how you get detailed diagnostic information by enabling tracing of authentication operations on the EX Series switch.
Aruba ClearPass Policy Manager provides additional detailed diagnostic information. See your Aruba ClearPass documentation for more information.
Troubleshooting Using Trace Options
You can enable trace options for the 802.1X protocol. The following set of commands enable the writing of trace logs to a file named dot1x:
user@Policy-EX4300-01# set protocols dot1x traceoptions file dot1x user@Policy-EX4300-01# set protocols dot1x traceoptions file size 5m user@Policy-EX4300-01# set protocols dot1x traceoptions flag all
Use the show log CLI command to display the contents
of the trace log file. For example:
user@Policy-EX4300-01> show log dot1x user@Policy-EX4300-01> show log dot1x | last 10 | refresh
You can also display the contents of the trace log file from the UNIX-level shell. For example:
user@Policy-EX4300-01> start shell user@Policy-EX4300-01:RE:0% tail -f /var/log/dot1x
Troubleshooting the JNPR_RSVD_FILTER_CWA Firewall Filter
The JNPR_RSVD_FILTER_CWA firewall filter is dynamically installed in the Packet Forwarding Engine (PFE). Because it is not configured through the Junos CLI, you cannot view the filter terms using the CLI.
You can use the Junos OS vty shell command to connect to the PFE to obtain more information about the JNPR_RSVD_FILTER_CWA filter. In the examples below, the vty command is used to see detailed information about the filter JNPR_RSVD_FILTER_CWA that is installed as part of the MAC RADIUS authentication process.
The vty command is hidden command and is not supported by JTAC. Because vty commands are undocumented and their use can cause network disruption or operational issues, using vty is not generally recommended.
Start vty.
user@Policy-EX4300-01> start shell user@Policy-EX4300-01:RE:0% vty fpc0
Use the
show filtercommand to determine the index number of the filter on ge-0/0/22.(vty)# sh filter Program Filters: --------------- Index Dir Cnt Text Bss Name -------- ------ ------ ------ ------ -------- Term Filters: ------------ Index Semantic Name -------- ---------------- 1 Classic Client_Policy 2 Classic guest_access_policy_1 3 Classic test_cwa_ISE 4 Classic IPPhone_mac_auth_policy1 5 Classic IPPhone_mac_auth_policy_1 17000 Classic __default_arp_policer__ 57006 Classic __jdhcpd__ 57007 Classic __dhcpv6__ 57008 Classic __cfm_filter_shared_lc__ 65008 Classic __jdhcpd_l2_snoop_filter__ 12582912 Classic dot1x_ge-0/0/6 12582913 Classic dot1x_ge-0/0/8 12582914 Classic dot1x_ge-0/0/22 46137360 Classic pfe-cos-cl-553-5-1 46137361 Classic pfe-cos-cl-554-5-1 46137362 Classic pfe-cos-cl-555-5-1Display the counters associated with the filter.
(vty)# sh filter index 12582914 counters Filter Counters/Policers: Index Packets Bytes Name -------- --------------- -------------------- -------- 12582914 0 0 CWA_arp_0050569b037f 12582914 0 0 CWA_destip_0050569b037f 12582914 0 0 CWA_dhcp_0050569b037f 12582914 0 0 CWA_https_0050569b037f 12582914 0 0 CWA_t_dns_0050569b037f 12582914 0 0 CWA_u_dns_0050569b037f 12582914 0 0 dot1x_ge-0/0/22_CWA_http_0050569b037f
Display the terms of the filter.
(vty)# sh filter index 12582914 program Filter index = 12582914 Optimization flag: 0x0 Filter notify host id = 0 Filter properties: None Filter state = CONSISTENT term CWA_destip_0050569b037f term priority 0 smac 0.80.86.155.3.127/48 ip-destination-address 10.105.5.153/32 then accept count CWA_destip_0050569b037f term CWA_t_dns_0050569b037f term priority 0 smac 0.80.86.155.3.127/48 ip-protocol 6 destination-port 53 then accept count CWA_t_dns_0050569b037f term CWA_u_dns_0050569b037f term priority 0 smac 0.80.86.155.3.127/48 ip-protocol