The most common use case where duplicate auth table entries can occur is documented below:
1. If 802.1X authentication is being used in the environment AND neither the Pulse Desktop Client or the OAC client are in use, the PPS appliance will have no way to identify the endpoint's IP address. This can be solved by one of the following:
a). RADIUS Accounting Start or Interim messages can be sent from the NAS device (Switch or wireless access point) that contains the IP address of the connected endpoint.
b) IF-MAP is in use by a DHCP server. This will allow the IP ADDRESS <> MAC ADDRESS linkage to be published. The IP address is then provided to the IF-MAP Client where the user signs in.
In either use case, it is critical that when an endpoint disconnects from the network, the session is removed from the PPS appliance. This can be accomplished by either sending an Accounting STOP message for the session OR by the IF-MAP client (DHCP) server deleting the entry on the IF-MAP server. If neither happens, then a stale session is left on the active user table and will not age out until the role timer is reached for that session.
To help troubleshoot this, please be prepared to provide a set of logs from both the Juniper SRX as well as the PPS appliance.
Logs to collect:
- Event logs showing at least two (2) disconnect and reconnect events. The event logs will need to have the "Enforcer Command Trace" setting enabled in order to record the communication between the PPS appliance and the Juniper SRX firewall.
- User Access logs spanning the same time as the event logs. The support engineer will need this data in order to determine WHY the PPS appliance is sending the duplcate entry.
- The uacd.log from the Juniper SRX firewall.
Lastly, it is advised to have the times be synchronized between the Juniper SRX firewall and the PPS appliance. This will ensure that the data can be correlated easily.