You are here: Home > CLI Commands > Just_CLI_Topics > show user-table

show user-table

show user-table

ap-group <ap-group>

ap-name <ap-name>

authentication-method dot1x|mac|opensystem|psk|stateful-dot1x|via-vpn|vpn|web

bssid <A:B:C:D:E:F>

devtype <device>

debug

essid <STRING>

internal

ip <A.B.C.D> [log]|[detail]

mac <A:B:C:D:E:F> [log]

mobile {[bindings][visitors]}

name <STRING>

phy-type {[a]|[b]}

role <STRING>

rows <NUMBER> <NUMBER>

standby [ipv4]|[ipv6]|[log]|[mac]

station

summary

unique

verbose

Description

Displays detailed information about the controller’s connection to a user device, in regards to mobility state and statistics, authentication statistics, VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. assignment method, AP datapath tunnel info, radius accounting statistics, user name, user-role derivation method, datapath session flow entries, and 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association state and statistics. The show user command allows you to filter specific information by parameter.

Syntax

Parameter

Description

ap-group <ap-group>

Filter the output of this command by showing users connected to APs that belong to the specified AP group.

ap-name <ap-name>

Filter the output of this command by showing users connected to an AP with the specified AP name.

authentication-method

Filter the output of this command by the authentication method used for the device:

dot1x

Show data for devices using 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

mac

Show data for devices using MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication.

opensystem

Show data for devices using open (no) authentication.

psk

Show data for devices that do not use authentication but use a pre-shared key for encryption.

stateful-dot1x

Show data for devices using stateful 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

via-vpn

Show data for devices that authenticate using Aruba VIAVirtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network..

vpn

Show data for devices using VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. authentication.

web

Show data for devices using captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication.

bssid <A:B:C:D:E:F>

Show user data for a specific device BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly..

debug Show all user data for debugging purposes.

devtype <device>

Show output for a specified device type, if identified. If the device name includes spaces, you must enclose it in quotation marks.

essid <STRING>

Show user data for a specific ESSIDExtended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set.. If the ESSIDExtended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. includes spaces, you must enclose it in quotation marks.

internal

Display internal user entries only. Include the rows options to filter the output of this command by specifying the number of rows from the end of the output and the total number of rows to display/

ip <A.B.C.D>

Show user data for a specific IP address .

log

If per-user logging is enabled using the aaa log command, include the optional log parameter to display authentication log files for a user with the specified MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.

detail

Show detailed user data for a specific IP address including role-derivation.

mac <A:B:C:D:E:F>

Show user data for a specific MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address

log

If per-user logging is enabled using the aaa log command, include the optional log parameter to display authentication log files for a user with the specified MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.

mobile

Filter the output of this command to show data for Mobile users.

bindings

Show data for users that have moved away from their home network.

visitors

Show data for mobility users that are visiting the network.

name <STRING>

User’s name.

phy-type

801.11 type

a

Matches PHY type a.

g

Matches PHY type b or g.

role <STRING>

User role such as employee, visitor and so on.

rows <NUMBER> <NUMBER>

Filter the output of the show user command by specifying the number of rows from the end of the output and the total number of rows to display/

standby

User standby entries

ipv4

User standby entires for the IPv4 address specified.

ipv6

User standby entires for the IPv6 address specified.

log

Debug log of the specified user.

mac

User standby entires for the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address specified.

station

For internal use only.

summary

Shows the authentication and encryption type used by wired or wireless clients.

unique

Displays only information for users with a valid IP address.

verbose

Displays all information about the user table.

Usage Guidelines

Use the show user-table command to show detailed user statistics which includes the entire output of the user-table, mobility state and statics, authentication statistics, VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. assignment method, AP datapath tunnel information, radius accounting statistics, user-role derivation method, datapath session flow entries and 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. association state and statistics.

Examples

This example displays users currently in the employee role. The output of this command is split into two tables in this document, however it appears in one table in the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

(host) [mynode] (config) show user role employee

Users

-----

IP MAC Name Role Age(d:h:m) Auth VPN link AP name

---------- ------------ ------ ---- ---------- ---- -------- -------

192.168.160.1 00:23:6c:80:3d:bc madisonl employee 01:05:50 802.1X 1263

10.100.105.100 00:05:4e:45:5e:c8 CORP1NETWORKS employee 00:02:22 802.1X wlan-qa-cage

10.100.105.102 00:14:a5:30:c2:7f pdedhia employee 01:20:09 802.1X 2198

10.100.105.97 00:1b:77:c4:a2:fa CORP1NETWORKS employee 00:02:18 802.1X 2198

10.100.105.109 00:21:5c:02:16:bb myao employee 00:05:40 802.1X 1109

 

Users

-----

Roaming Essid/Bssid/Phy Profile Forward mode Type

------- --------------- ------- ------------ ----

Associated ethersphere-wpa2/00:1a:1e:85:d3:b1/a-HT default tunnel

Associated ethersphere-wpa2/00:1a:1e:6f:e5:51/a default tunnel

Associated ethersphere-wpa2/00:1a:1e:87:ef:f1/a default tunnel

Associated ethersphere-wpa2/00:1a:1e:87:ef:f1/a default tunnel

Associated ethersphere-wpa2/00:1a:1e:85:c2:11/a-HT default tunnel ipad

 

The output of the show user mac <mac-addr> and show user ip <ip-addr> commands include the following information.

(host) [mynode]) # show user-table ip 5.5.5.2

Name: 98:0c:82:45:d6:7b, IP: 5.5.5.2, MAC: 98:0c:82:45:d6:7b, Role: mac-role, ACL: 54/0/0, Age: 00:00:07

Authentication: Yes, status: started, method: MAC, protocol: PAP, server: Internal

Bandwidth = No Limit

Bandwidth = No Limit

Role Derivation: default for authentication type MAC

VLAN Derivation: unknown

Idle timeouts: 0, Valid ARP: 0

Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0

Flags: internal=0, trusted_ap=0, l3auth=0, mba=1, vpnflags=0, u_stm_ageout=1

Flags: innerip=0, outerip=0, vpn_outer_ind:0, guest=0, download=1, wispr=0

Auth fails: 0, phy_type: g-HT, reauth: 0, BW Contract: up:0 down:0, user-how: 14

Vlan default: 3, Assigned: 5, Current: 5 vlan-how: 0 DP assigned vlan:0

Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0

Tunnel=0, SlotPort=0x2000, Port=0x1000d (tunnel 13)

Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role: n/a

Current Role name: mac-role, role-how: 1, L2-role: mac-role, L3-role: mac-role

Essid: 1_wlan_135, Bssid: d8:c7:c8:38:f4:a0 AP name/group: d8:c7:c8:cb:8f:4a-135/groupfor135 Phy-type: g-HT

RadAcct sessionID:n/a

RadAcct Traffic In 4/216 Out 2/420 (0:4/0:0:0:216,0:2/0:0:0:420)

Timers: reauth 0

Profiles AAA:1_wlan_135-aaa_prof, dot1x:dot1x_prof-rwv10, mac:pMac CP: def-role:'logon' sip-role:'' via-auth-profile:''

ncfg flags udr 0, mac 1, dot1x 1, RADIUS interim accounting 0

IP Born: 1354560806 (Mon Dec 3 10:53:26 2012)

Core User Born: 1354560805 (Mon Dec 3 10:53:25 2012)

Upstream AP ID: 0, Downstream AP ID: 0

Device Type: Dalvik/1.4.0 (Linux; U; Android 2.3.6; SAMSUNG-SGH-I777 Build/GINGERBREAD)

Session Timeout from Radius: No, Session Timeout Value:0

Address is from DHCP: yes

The role-how and vlan-how parameters in the output of this command display a code that corresponds to the following values:

Role Derivation Code

Description

1

AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile default role

2

Role derived from user rules

3

Role derived from UDRUser Derivation Rule. UDR is a role assignment model used by the controllers running ArubaOS to assign roles and VLANs to the WLAN users based on MAC address, BSSID, DHCP-Option, encryption type, SSID, and the location of a user. For example, for an SSID with captive portal in the initial role, a UDR can be configured for scanners to provide a role based on their MAC OUI.

4

Default role for authentication type

5

Role derived from server rules

6

Aruba vendor-specific attribute (VSAVendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers.)

7

Dot1X profile role

8

Dot1X server derived role

9

Dot1X role derived from Aruba VSAVendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers.

10

Dot1X role derived from ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. VSAVendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers.

11

Role derived from DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  option

12

Change of authorization role

13

Forced role set by ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance.

14

Role derived from mobility

15

Role assigned by external/internal captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.

16

Role assigned by SIPSession Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls.

17

SDRServer Derivation Rule. An SDR refers to a role assignment model used by the controllers running ArubaOS to assign roles and VLANs to the WLAN users based on the rules defined under a server group. The SDRs override the default authentication roles and VLANs defined in the AAA and Virtual AP profiles. derived role during L3 authentication

18

VSAVendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. derived role during L3 authentication

19

ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. VSAVendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. derived role during L3 authentication

20

Authentication type VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. role (VIAVirtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network., VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two., or Transport VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.)

21

Authentication type role (BTLM, Kerb, GIS, or so on)

22

System assigned AP role

 

VLAN Derivation Code

Description

1

Default VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

2

Initial role contained

3

User rule role contained

4

Matched user rule

5

DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  Option 77 role contained

6

Matched DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  Option 77

7

MBA role contained

8

MBA server rule role contained

9

MBA server rule

10

MBA Aruba VSAVendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. role contained

11

MBA Aruba VSAVendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers.

12

MBA MSFT attributes

13

User Dot1X role contained

14

Dot1X server rule role contained

15

Dot1X server rule

16

Dot1X Aruba VSAVendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers. role contained

17

Dot1X Aruba VSAVendor-Specific Attribute. VSA is a method for communicating vendor-specific information between NASs and RADIUS servers.

18

Dot1X MSFT attributes

19

VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. from pmk-cache

20

DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  options user rule role contained

21

DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  options user rule

30

Adaptive DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.

Related Commands

Command

Description

user-role

This command configures a user role.

Command History

Release

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

Licensing

Command Mode

All platforms

Base operating system.

Enable and Config mode on Mobility Master and managed devices.

/*]]>*/