Solved: Debug AAA/RADIUS for a particular mac address only

sburnwal · ‎06-25-2014

I have a question - is there a way I can debug aaa, radius, eap communication on a switch for a particular mac address (endpoint) only ?

Thanks.

mohanak · ‎06-25-2014

EAP Authentication

In order to troubleshoot the interaction between the WLC and the authentication server (external RADIUS or internal EAP server), use the command debug AAA all enable, which shows the required details. This command should be used after the debug client <MACAddress> command and can be combined with other debug commands as needed (for example, handoff).

(Cisco Controller) >debug client 00:00:00:00:00:00
(Cisco Controller) >debug aaa all enable 
(Cisco Controller) >show debug
MAC address ................................ 00:00:00:00:00:00
Debug Flags Enabled:
  aaa detail enabled.
  aaa events enabled.
  aaa packet enabled.
  aaa packet enabled.
  aaa ldap enabled.
  aaa local-auth db enabled.
  aaa local-auth eap framework errors enabled.
  aaa local-auth eap framework events enabled.
  aaa local-auth eap framework packets enabled.
  aaa local-auth eap framework state machine enabled.
  aaa local-auth eap method errors enabled.
  aaa local-auth eap method events enabled.
  aaa local-auth eap method packets enabled.
  aaa local-auth eap method state machine enabled.
  aaa local-auth shim enabled.
  aaa tacacs enabled.
  dhcp packet enabled.
  dot11 mobile enabled.
  dot11 state enabled
  dot1x events enabled
  dot1x states enabled.
  mobility handoff enabled.
  pem events enabled.
  pem state enabled.

View solution in original post

mohanak · ‎06-25-2014

EAP Authentication

In order to troubleshoot the interaction between the WLC and the authentication server (external RADIUS or internal EAP server), use the command debug AAA all enable, which shows the required details. This command should be used after the debug client <MACAddress> command and can be combined with other debug commands as needed (for example, handoff).

(Cisco Controller) >debug client 00:00:00:00:00:00
(Cisco Controller) >debug aaa all enable 
(Cisco Controller) >show debug
MAC address ................................ 00:00:00:00:00:00
Debug Flags Enabled:
  aaa detail enabled.
  aaa events enabled.
  aaa packet enabled.
  aaa packet enabled.
  aaa ldap enabled.
  aaa local-auth db enabled.
  aaa local-auth eap framework errors enabled.
  aaa local-auth eap framework events enabled.
  aaa local-auth eap framework packets enabled.
  aaa local-auth eap framework state machine enabled.
  aaa local-auth eap method errors enabled.
  aaa local-auth eap method events enabled.
  aaa local-auth eap method packets enabled.
  aaa local-auth eap method state machine enabled.
  aaa local-auth shim enabled.
  aaa tacacs enabled.
  dhcp packet enabled.
  dot11 mobile enabled.
  dot11 state enabled
  dot1x events enabled
  dot1x states enabled.
  mobility handoff enabled.
  pem events enabled.
  pem state enabled.

nspasov · ‎06-25-2014

I am not sure about a particular MAC address but if you know the switchport where the client is connecting you can use the following command to limit the debug to that interface only:

debug condition interface interface

http://www.cisco.com/c/en/us/td/docs/ios/12_2/debug/command/reference/122debug/dbfcndtr.html

Hope this helps!

Thank you for rating helpful posts!