debug destination logging
debug security
no debug security port-access auth-order 

Andare poi a vedere i log sul syslog server

2530:

show port-access client 1/1 detail

Reinitialize the authenticator state machine.

aaa port-access authenticator 1/1 initialize

Force a re-authentication of all attached clients on the port.

[no] aaa port-access mac-based <port-list> reauthenticate

Set the authenticator to force authorized, force unauthorized or auto state (default Auto).

aaa port-access authenticator 1/1 control [authorized|unauthorized|auto]

show authentication sessions (|history|brief)
show authentication sessions interface gigabitethernet2/0/1

Per vedere su che vlan e' stato messo il device attaccato

show interface gigabitethernet2/0/1 switchport 

Controllare le features di errdisable attive

show errdisable detect|recovery|flap-values

Listare le interfacce disabilitate

show interfaces | include err-disabled

Listare le porte disabilitate e che si autoriabiliteranno con il motivo della disabilitazione

show errdisable recovery

Listare le porte disabilitate e che non si autoriabiliteranno con il motivo della disabilitazione (finche' c'e' il log)

show logging | incl err-disable

user@switch> show configuration access
user@switch> show dot1x interface brief 
user@switch> show ethernet-switching table    
user@switch> show dot1x interface ge-0/0/8.0 detail
show dot1x authentication-failed-users
show dot1x authentication-bypassed-users
clear dot1x interface

You can enable trace options for the 802.1X protocol. The following set of commands enable the writing of trace logs to a file named do1x-log: content_copy zoom_out_map

user@Policy-EX4300-01# set protocols dot1x traceoptions file dot1x
user@Policy-EX4300-01# set protocols dot1x traceoptions file size 5m
user@Policy-EX4300-01# set protocols dot1x traceoptions flag all

Use the show log CLI command to display the contents of the trace log file. For example: content_copy zoom_out_map

user@Policy-EX4300-01> show log dot1x
user@Policy-EX4300-01> show log dot1x | last 10 | refresh

You can also display the contents of the trace log file from the UNIX-level shell. For example: content_copy zoom_out_map

user@Policy-EX4300-01> start shell 
user@Policy-EX4300-01:RE:0% tail -f /var/log/dot1x 

https://docs.microsoft.com/it-it/windows/client-management/data-collection-for-802-authentication

Acquisire i registri delle funzionalità wireless/cablati

Seguire i passaggi seguenti per raccogliere i registri wireless e cablati in Windows e Windows Server:

• Creare C:\MSLOG nel computer client per archiviare i registri acquisiti.
• Avviare un prompt dei comandi con privilegi elevati nel computer client ed eseguire i comandi seguenti per avviare un log di traccia RAS e un log dello scenario wireless/cablato.
• Windows 8,1 e Windows 10 wireless:

netsh ras set tracing * enabled
netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl

Client cablato, indipendentemente dalla versione

netsh ras set tracing * enabled
netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_cli.etl

Alla fine

netsh ras set tracing * disable

To perform 802.1X authentication diagnostics on the Windows 7 supplicant:

• Start authentication tracing with the netsh command.

 netsh ras set tracing * enable

• Attempt authentication with the switch.

• Disable authentication tracing.

 netsh ras set tracing * disable

• Review the detailed log files under the following directory: C:\windows\tracing.