You are here: Home > CLI Commands > Just_CLI_Topics > show aaa state debug-statistics

show aaa state debug-statistics

show aaa state debug statistics

Description

show debug statistics for controller authentication, authorization and accounting.

Syntax

No parameters.

Example

The following example displays debug statistics for a variety of authentication errors:

 

(host) #show aaa state debug-statistics

user miss: ARP=47, 8021Q=5216, non-IP=0, zero-IP=0, loopback=0

user miss: mac mismatch=0, spoof=269 (74), drop=390, ncfg=0

user miss: non-auth opcode=0, no-l2-user=0, l2tp=0, vrrp=0, special mac=0, iap l3 user=0

Idled users = 3376

Idled users due to MAC mismatch = 0

Idled users due to SOS: wireless tunnel=0 wireless dtunnel=0

Idled users due to SOS: wired tunnel=0 wired dtunnel=0

Idled users due to SOS: other=0

Idled users due STM deauth: tunnel=0 dtunnel=0

Idled users from STM timeout: tunnel=0 dtunnel=0

Idled users from STM: other=0

Current users with STM idle flag = 0

Idle messages: SOS=0 STM deauth=0 STM timeout=0

Logon lifetime iterations = 4501, entries deleted = 121

SIP authentication messages received 29227, dropped 29227

Missing auth user deletes: 0

Captive-portal forced user deletes: 1

Mobility Stats

INTRA_MS 0, MAC mismatch 0, HA mismatch 0

INTER_MS 0, MAC mismatch 0, HA mismatch 0

MIP Update 0, Move 0, Del 0, TunAcl 0

AAA Done 0, Del 2

IPIP Loop forced Del: 0, Validate Visitor 0

Auth User rejects Received

L2 User:0, IPV4 :0, IPV6:0

Auth User rejects Processed

L2 User:0, IPV4 :0, IPV6:0

 

The output of this command includes the following parameters:

Parameter

Description

User Miss

ARP

Number of ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. packets sent between the datapath and the controlpath.

8021q

Number of 802.1q (VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. tag) packets sent between the datapath and the controlpath.

non-ip

Number of non-IP type packets sent between the datapath and the controlpath.

zero-ip

Number of packets sent without an internet protocol (IP).

loopback

If 1, the controller has a defined loopback address. If 0, a loopback address has not yet been configured.

mac mismatch

Number of users that were not authenticated due to MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. mismatches.

spoof

Number of users that were not authenticated due to spoofed IP addresses.

drop

Number of user authentication attempts that were dropped.

ncfg

Number of packets sent between datapath and controlpath, where the authentication module has not completed the initialization required to process the traffic.

Non-auth opcode

Number of packets whose opcode is non-auth opcode. This is a check to find if auth is responsible for processing received packet.

No-l2-user

Number of user packets dropped due to absence ofan L2 entry for the user.

l2tp

Number of l2tp users.

vrrp

Number of VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. users.

special mac

Number of users with a special MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.

iap

Number of instant AP users.

idled users

Number of inactive stations that are not broadcasting data to an AP.

idled users due to MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. mismatch

For internal use only.

Idled users due to SOS

wireless tunnel

Number of wireless users in tunnel forwarding mode that were aged out by the controller.

wireless dtunnel

Number of wireless users in decrypt tunnel forwarding mode that were aged out by the controller.

wired tunnel

Number of wired users in tunnel forwarding mode that were aged out by the controller.

wired dtunnel

Number of wired users in decrypt tunnel forwarding mode that were aged out by the controller.

Other

Number of users using modes other than tunneled or Decrypt tunneled aged out by the controller.

Idled users due STMStation Management. STM is a process that handles AP management and user association. deauth

tunnel

Number of users in tunnel forwarding mode that aged out after STMStation Management. STM is a process that handles AP management and user association. deauthentication, and timer expiration.

dtunnel

Number of users in decrypt tunnel forwarding mode that aged out after STMStation Management. STM is a process that handles AP management and user association. deauthentication, and timer expiration.

Idled users from STMStation Management. STM is a process that handles AP management and user association. timeout

tunnel

Number of users in tunnel forwarding mode that aged out after the STMStation Management. STM is a process that handles AP management and user association. timer expired.

dtunnel

Number of users in decrypt tunnel forwarding mode that aged out after the STMStation Management. STM is a process that handles AP management and user association. timer expired.

Idled users from STMStation Management. STM is a process that handles AP management and user association.

other

Number of users in fowarding modes other than decrypt tunnel or tunnel mode that aged out after the STMStation Management. STM is a process that handles AP management and user association. timer expired.

Logon lifetime iteration

Number of users deleted for lack of activity.

SIP authentication message

Number of session initiation protocol (SIPSession Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls. ) authentication messages received.

Missing auth user deletes

Number of users removed from the datapath by the auth module, even without a mapping entry in control path. This counter can help identify problems with messages sent between the controlpath and the datapath.

Mobility Stats

Number of different messages exchanged between the mobile IP and the auth module.

This is used for troubleshooting purposes only.

Captive-portal forced user deletes

Number of idle users deleted after captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication.

Auth User Rejects Received

L2 User

Number of authentication rejects received for L2 users from the datapath due to a failure of the operation.

IPv4

Number of authentication rejects received for IPv4 users from the datapath due to a failure of the operation.

IPv6

Number of authentication rejects received for IPv6 users from the datapath due to a failure of the operation.

Auth User Rejects Processed

L2 User

Number of authentication rejects for L2 users that were processed after the reject was received.

IPv4

Number of authentication rejects for IPv4 users that were processed after the reject was received.

IPv6

Number of authentication rejects for IPv6 users that were processed after the reject was received.

Command History

Command

Description

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

Licensing

Command Mode

All platforms

Base operating system.

Enable or Config mode on Mobility Master.

/*]]>*/