Header Only - DO NOT REMOVE - Extreme Networks

802.1 X AD Auth with Nacmanager 8.1.1.41 and EWC 10.41 dont ́t work


Userlevel 2
I want to bring a new installed EWC and NAC Manager with the last Firmware together and activate 802.1 X on a special SSID

i have configured . shared Secret /LDAP Connection and so on
and all the other things on both sides.

When a wirless Client try to connect there is into the nac manager console only to see :

Failing proxied request for user "XXXXXX@itgnt.local", due to lack of any response from home server 192.168.44.8 port 1812

and

Unable to contact RADIUS server: 192.168.44.8

But this IP is the Radius Server himself !! Why has the nacmanager a problem to contact his own radius Server ?

When I mak the test with Radius on the VNS of the Wireless Controller then comes :

The Radius Server did not authenticate the user TEST123 on ITGNTAD VNS.
Error: RADIUS_CLIENT_INTERNAL_ERROR.

If you ask.. of course i have restartet the nac manager appliance 3 or 4 times..

Who could give me some Tips for Troubleshooting ?

Regarrds

Christian

6 replies

Userlevel 5
Hi Christian, on AAA default , advanced - what did you set as your default auth? LDAP? Or Radius Proxy?
Userlevel 5
And, btw , did you use the default shared secret (ETS_TAG_SHARED_SECRET) or you changed it to something else (on both sides)?
Userlevel 2
Hello Yury,

i tried first time to deal with the html "Surface" .. Now i found the Point that i can Switch to "Advanced" Mode and the window changed. .
What is the right order ?

Of Course Radius Secret is changed .. i have an other SSID which is doing mac Auth for some devices Without Security and this works fine

Look at the Picture . . how should the order of Auth methods be ?

Userlevel 5
Looks correct to me . Try to see the logs - ssh to NAC appliance and tail -f /var/log/radius/radius.log to see what is complaining about.
Btw , if you going to use 802.1X authentication on the wireless and your LDAP is Windows AD , you need to make sure that NAC did "join" the domain . To check that , issue the command "wbinfo -t" from the ssh , you should see if the appliance successfully joined the domain (it should be just one line as the output with Success meaning in it) . If it spits you a bunch of line with with errors - e.g. "cannot find domain " etc... then you need to fix that first.
Userlevel 2
THX i will try this next day

but BTW.. we have customers Using 3 or 4 Windows Domains with a extreme wireless solution, what can i do if i have 2 or more Windows Domains and i need LDAP Auth ?

Chris
Userlevel 5
Are those AD independant or they have trust relashionship?

Reply