06-25-2014 05:59 AM - edited 03-10-2019 09:49 PM
I have a question - is there a way I can debug aaa, radius, eap communication on a switch for a particular mac address (endpoint) only ?
Thanks.
Solved! Go to Solution.
06-25-2014 11:43 AM
In order to troubleshoot the interaction between the WLC and the authentication server (external RADIUS or internal EAP server), use the command debug AAA all enable, which shows the required details. This command should be used after the debug client <MACAddress> command and can be combined with other debug commands as needed (for example, handoff).
(Cisco Controller) >debug client 00:00:00:00:00:00 (Cisco Controller) >debug aaa all enable (Cisco Controller) >show debug MAC address ................................ 00:00:00:00:00:00 Debug Flags Enabled: aaa detail enabled. aaa events enabled. aaa packet enabled. aaa packet enabled. aaa ldap enabled. aaa local-auth db enabled. aaa local-auth eap framework errors enabled. aaa local-auth eap framework events enabled. aaa local-auth eap framework packets enabled. aaa local-auth eap framework state machine enabled. aaa local-auth eap method errors enabled. aaa local-auth eap method events enabled. aaa local-auth eap method packets enabled. aaa local-auth eap method state machine enabled. aaa local-auth shim enabled. aaa tacacs enabled. dhcp packet enabled. dot11 mobile enabled. dot11 state enabled dot1x events enabled dot1x states enabled. mobility handoff enabled. pem events enabled. pem state enabled.
06-25-2014 11:43 AM
In order to troubleshoot the interaction between the WLC and the authentication server (external RADIUS or internal EAP server), use the command debug AAA all enable, which shows the required details. This command should be used after the debug client <MACAddress> command and can be combined with other debug commands as needed (for example, handoff).
(Cisco Controller) >debug client 00:00:00:00:00:00 (Cisco Controller) >debug aaa all enable (Cisco Controller) >show debug MAC address ................................ 00:00:00:00:00:00 Debug Flags Enabled: aaa detail enabled. aaa events enabled. aaa packet enabled. aaa packet enabled. aaa ldap enabled. aaa local-auth db enabled. aaa local-auth eap framework errors enabled. aaa local-auth eap framework events enabled. aaa local-auth eap framework packets enabled. aaa local-auth eap framework state machine enabled. aaa local-auth eap method errors enabled. aaa local-auth eap method events enabled. aaa local-auth eap method packets enabled. aaa local-auth eap method state machine enabled. aaa local-auth shim enabled. aaa tacacs enabled. dhcp packet enabled. dot11 mobile enabled. dot11 state enabled dot1x events enabled dot1x states enabled. mobility handoff enabled. pem events enabled. pem state enabled.
06-25-2014 10:37 PM
I am not sure about a particular MAC address but if you know the switchport where the client is connecting you can use the following command to limit the debug to that interface only:
debug condition interface interface
http://www.cisco.com/c/en/us/td/docs/ios/12_2/debug/command/reference/122debug/dbfcndtr.html
Hope this helps!
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide