Connected wireless clients are not shown in NAC's End-Systems


Userlevel 4
Hello, team,

I have Netsight (7.1.1.9), NAC (7.1.1.9) and V2110 (10.43) installation. Both NAC and V2110 were added to Netsight console using SNMP v3 and they are OK (green).

Now I try to configure wireless users authorization through the NAC.

The problem is wireless clients are not shown in NAC's End-Systems tab, but they are in Wireless tab. When they connect to SSID they get TO NAC's portal interface, then they pass authorization with they AD credentials and then NAC freezes with Endless registration. Experienced guys say: bring you clients to NAC's End-Systems tab first. How? They don't appear there.

What most likely could be the problem?

Many thanks in advance,
Ilya

34 replies

Userlevel 5
Looks like you forgot to enable MAC-auth on WLAN service.
Userlevel 4
Ostrovsky, Yury wrote:

Looks like you forgot to enable MAC-auth on WLAN service.

Hello, Yury,

I didn't.
Userlevel 4
Hello,

Be sure the wireless WLAN has RADIUS enabled and is pointed to the NAC appliance (and with the proper shared secret). The End System needs to show up in NAC Manager from RADIUS first, before the captive portal login can be attempted. If your user is not authenticated with RADIUS first, the the captive portal will not work..so in this case the Default "unauthenticated" behavior of the wireless controller should not redirect users to NAC's Captive Portal..ie, only the "authentciaetd" Role should do this.

Regards,

Scott Keene
NMS/NAC Support
Userlevel 4
Keene, Scott wrote:

Hello,

Be sure the wireless WLAN has RADIUS enabled and is pointed to the NAC appliance (and with the proper shared secret). The End System needs to show up in NAC Manager from RADIUS first, before the captive portal login can be attempted. If your user is not authenticated with RADIUS first, the the captive portal will not work..so in this case the Default "unauthenticated" behavior of the wireless controller should not redirect users to NAC's Captive Portal..ie, only the "authentciaetd" Role should do this.

Regards,

Scott Keene
NMS/NAC Support

Hello, Scott,

The WLAN has RADIUS enabled and it is pointed to NAC with proper (default) shared secret.
Userlevel 4
Gentlemen,

all answers with one screenshot below.

1) MAC auth is on.
2) NAC is the RADIUS server
3) NAC and V2110 are connected to Netsight and both are OK.

Hi,
As the Scott said RADIUS settings are crucial. If V2110 is added to Policy Domain and NAC and enforced then RADIUS settings should be populated in V2110. In addition make sure that both V2110 and NAC have time synchronized to let the wireless clients reauthentication to work - both appliances should use this same NTP server configruation.
RegardsBartek
Did you add V2110 to NAC switch configurations tab? If not then it would never work...
Userlevel 4
Bartek wrote:

Did you add V2110 to NAC switch configurations tab? If not then it would never work...

After your advice I've added EWC to NAC to Switches tab. Still the same result - nothing in End-Systems and endless registration...
Userlevel 5
The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.
Userlevel 4
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

Yury,

is it enough?



Before turning this on I had such messages in Radius Log:



Does it make something clear?
Userlevel 5
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

What is .1.111? Which port of EWC? Looks like the Radius request coming not from the port which NAC expecting. Peobably you added EWC with IP address of esa0 but your radius req coming from Admin port? Or something like that.
Userlevel 4
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

You are right, 192.168.1.111 this is esa0 port. I want EWC and NAC interacting excactly from this port. ADmin port should not be used. Is it possible?
Userlevel 5
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

Correct. If you have Admin port and using is somehow, make sure you route your radius packer correctly. The easiest way is just to stop using admin port at all - just put back the default IP on admin port, and manage your appliance from data port. Otherwize you need to fix the routing table on the controller.
Userlevel 5
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

Btw, did you add .1.111 as a switch on NAC? For some reason your NAac complains that it does not recognize this IP address. That should be your NAS
Userlevel 4
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

Hello, Yury,

well, we are almost done. Many thanks to you and Bartek.

I've added V2110 to Switches tab in NAC
Corrected time on V2110 and NAC - now it's the same
Changed V2110 interface to esa0

Now I have clients in NAC's End-Systems!!!! But without UserNames, just IPs, MACs and Device Types

Also,Clients are unable to access any resources, even gateway and NAC's address where authorization page is located. May be I should change something in ROles in V2110?

NOw i have:


...and...





In Radius Log on NAC I have:

(9362) --- Request VPs ---
(9362) User-Name = "446D572C278E"
(9362) User-Password = ****************
(9362) NAS-IP-Address = 127.0.0.1
(9362) NAS-Port = 101
(9362) NAS-Port-Type = Wireless-Other
(9362) NAS-Identifier = "SupportVO"
(9362) Siemens-AP-Serial = "15141805085D0000"
(9362) Siemens-AP-Name = ****************
(9362) Siemens-VNS-Name = "SupportVO"
(9362) Siemens-SSID = "SupportVO"
(9362) Siemens-BSS-MAC = "D88466272BF8"
(9362) Siemens-Policy-Name = "Non Authenticated"
(9362) Siemens-Topology-Name = "Bridged at AP untagged"
(9362) Calling-Station-Id = "446D572C278E"
(9362) Called-Station-Id = "D88466272BF8"
(9362) Acct-Session-Id = "M1a00fbb90002"
Thu May 24 15:07:13 2018 : Debug: (9362) [etsnac connection_mgr] Using authentication server connection ID: 31.
Thu May 24 15:07:13 2018 : Info: (9362) [etsnac connection_mgr] AAA Response [ID: 9362, Command: Replace Response Attributes(0x27)]
(9362) Filter-Id := "Enterasys:version=1:policy=Unregistered"
(9362) Login-LAT-Port := "0"
Thu May 24 15:07:13 2018 : Debug: (9362) [etsnac connection_mgr] Releasing authentication server connection ID: 31.
Thu May 24 15:07:13 2018 : Debug: (9362) [etsnac] The AAA server says to replace the response attributes.
Thu May 24 15:07:13 2018 : Debug: (9362) modsingle[post-auth]: returned from etsnac (rlm_etsnac) for request 9362
Thu May 24 15:07:13 2018 : Debug: (9362) [etsnac] = updated
Thu May 24 15:07:13 2018 : Debug: (9362) } # post-auth = updated
Thu May 24 15:07:13 2018 : Debug: (9362) Sent Access-Accept Id 183 from 192.168.1.200:1812 to 192.168.1.111:40884 length 0
Thu May 24 15:07:13 2018 : Debug: (9362) Filter-Id := "Enterasys:version=1:policy=Unregistered"
Thu May 24 15:07:13 2018 : Debug: (9362) Login-LAT-Port := "0"
Thu May 24 15:07:13 2018 : Debug: (9362) Finished request
Thu May 24 15:07:13 2018 : Debug: Thread 2 waiting to be assigned a request
Thu May 24 15:07:14 2018 : Debug: (9357) Cleaning up request packet ID 178 with timestamp +60856
Thu May 24 15:07:14 2018 : Debug: Waking up in 0.8 seconds.
Thu May 24 15:07:14 2018 : Debug: Waking up in 0.2 seconds.
Thu May 24 15:07:14 2018 : Debug: Thread 4 got semaphore
Thu May 24 15:07:14 2018 : Debug: Thread 4 handling request 9363, (1873 handled so far)
Thu May 24 15:07:14 2018 : Debug: (9363) Received Access-Request Id 184 from 192.168.1.111:60091 to 192.168.1.200:1812 length 281
Thu May 24 15:07:14 2018 : Debug: (9363) User-Name = "446D572C278E"
Thu May 24 15:07:14 2018 : Debug: (9363) User-Password = "\366\362\245\000\224\ts\247\024\341u@\240\330u\222"
Thu May 24 15:07:14 2018 : Debug: (9363) NAS-IP-Address = 127.0.0.1
Thu May 24 15:07:14 2018 : Debug: (9363) NAS-Port = 101
Thu May 24 15:07:14 2018 : Debug: (9363) NAS-Port-Type = Wireless-Other
Thu May 24 15:07:14 2018 : Debug: (9363) NAS-Identifier = "SupportVO"
Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-AP-Serial = "15141316085D0000"
Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-AP-Name = "15141316085D0000"
Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-VNS-Name = "SupportVO"
Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-SSID = "SupportVO"
Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-BSS-MAC = "D88466270D68"
Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-Policy-Name = "Non Authenticated"
Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-Topology-Name = "Bridged at AP untagged"
Thu May 24 15:07:14 2018 : Debug: (9363) Calling-Station-Id = "446D572C278E"
Thu May 24 15:07:14 2018 : Debug: (9363) Called-Station-Id = "D88466270D68"
Thu May 24 15:07:14 2018 : Debug: (9363) Acct-Session-Id = "M1a00fc190002"
Thu May 24 15:07:14 2018 : Debug: (9363) session-state: No State attribute
Thu May 24 15:07:14 2018 : Debug: (9363) # Executing section authorize from file /opt/nac/radius/raddb/sites-enabled/nac-server
Thu May 24 15:07:14 2018 : Debug: (9363) authorize {
Thu May 24 15:07:14 2018 : Debug: (9363) update control {
Thu May 24 15:07:14 2018 : Debug: (9363) EXPAND %{Calling-Station-Id}
Thu May 24 15:07:14 2018 : Debug: (9363) --> 446D572C278E
Thu May 24 15:07:14 2018 : Debug: (9363) Load-Balance-Key = 446D572C278E
Thu May 24 15:07:14 2018 : Debug: (9363) } # update control = noop
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling etsnac (rlm_etsnac) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] *NOT* Continuing proxied conversation, skipping...
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Generated MAC 446d572c278e from Calling-Station-Id: 446D572C278E
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found username from: User-Name: 446D572C278E
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found User-Password attribute: 2, setting auth type to: PAP
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found switch ip from: NAS-IP-Address: 127.0.0.1
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Unable to fine existing NAC request manager instance.
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Making a new request to the AAA server for request ID: 9363
Thu May 24 15:07:14 2018 : Info: (9363) [etsnac connection_mgr] AAA Request [ID: 9363, Source IP: 192.168.1.111, Command: Authenticate & Authorize Request(0x02)]
(9363) --- Request VPs ---
(9363) User-Name = "446D572C278E"
(9363) User-Password = ****************
(9363) NAS-IP-Address = 127.0.0.1
(9363) NAS-Port = 101
(9363) NAS-Port-Type = Wireless-Other
(9363) NAS-Identifier = "SupportVO"
(9363) Siemens-AP-Serial = "15141316085D0000"
(9363) Siemens-AP-Name = ****************
(9363) Siemens-VNS-Name = "SupportVO"
(9363) Siemens-SSID = "SupportVO"
(9363) Siemens-BSS-MAC = "D88466270D68"
(9363) Siemens-Policy-Name = "Non Authenticated"
(9363) Siemens-Topology-Name = "Bridged at AP untagged"
(9363) Calling-Station-Id = "446D572C278E"
(9363) Called-Station-Id = "D88466270D68"
(9363) Acct-Session-Id = "M1a00fc190002"
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac connection_mgr] Using authentication server connection ID: 31.
Thu May 24 15:07:14 2018 : Info: (9363) [etsnac connection_mgr] AAA Response [ID: 9363, Command: Accept User(0x22)]
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac connection_mgr] Releasing authentication server connection ID: 31.
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Unable to fine existing NAC request manager instance.
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] The AAA server says to accept the request.
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from etsnac (rlm_etsnac) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] = ok
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling chap (rlm_chap) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from chap (rlm_chap) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [chap] = noop
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling mschap (rlm_mschap) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from mschap (rlm_mschap) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [mschap] = noop
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling eap (rlm_eap) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) eap: No EAP-Message, not doing EAP
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from eap (rlm_eap) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [eap] = noop
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling pap (rlm_pap) for request 9363
Thu May 24 15:07:14 2018 : WARNING: (9363) pap: Auth-Type already set. Not setting to PAP
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from pap (rlm_pap) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [pap] = noop
Thu May 24 15:07:14 2018 : Debug: (9363) } # authorize = ok
Thu May 24 15:07:14 2018 : Debug: (9363) Found Auth-Type = Accept
Thu May 24 15:07:14 2018 : Debug: (9363) Auth-Type = Accept, accepting the user
Thu May 24 15:07:14 2018 : Debug: (9363) # Executing section post-auth from file /opt/nac/radius/raddb/sites-enabled/nac-server
Thu May 24 15:07:14 2018 : Debug: (9363) post-auth {
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[post-auth]: calling etsnac (rlm_etsnac) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] Processing Response-Packet-Type Access-Accept(2)
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] Not running EAP-TLS User-Name replacement for non EAP authentication
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Generated MAC 446d572c278e from Calling-Station-Id: 446D572C278E
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found username from: User-Name: 446D572C278E
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found User-Password attribute: 2, setting auth type to: PAP
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found switch ip from: NAS-IP-Address: 127.0.0.1
Thu May 24 15:07:14 2018 : Info: (9363) [etsnac connection_mgr] AAA Request [ID: 9363, Source IP: 192.168.1.111, Command: Post Authorize Request(0x03)]
(9363) --- Request VPs ---
(9363) User-Name = "446D572C278E"
(9363) User-Password = ****************
(9363) NAS-IP-Address = 127.0.0.1
(9363) NAS-Port = 101
(9363) NAS-Port-Type = Wireless-Other
(9363) NAS-Identifier = "SupportVO"
(9363) Siemens-AP-Serial = "15141316085D0000"
(9363) Siemens-AP-Name = ****************
(9363) Siemens-VNS-Name = "SupportVO"
(9363) Siemens-SSID = "SupportVO"
(9363) Siemens-BSS-MAC = "D88466270D68"
(9363) Siemens-Policy-Name = "Non Authenticated"
(9363) Siemens-Topology-Name = "Bridged at AP untagged"
(9363) Calling-Station-Id = "446D572C278E"
(9363) Called-Station-Id = "D88466270D68"
(9363) Acct-Session-Id = "M1a00fc190002"
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac connection_mgr] Using authentication server connection ID: 31.
Thu May 24 15:07:14 2018 : Info: (9363) [etsnac connection_mgr] AAA Response [ID: 9363, Command: Replace Response Attributes(0x27)]
(9363) Filter-Id := "Enterasys:version=1:policy=Unregistered"
(9363) Login-LAT-Port := "0"
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac connection_mgr] Releasing authentication server connection ID: 31.
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] The AAA server says to replace the response attributes.
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[post-auth]: returned from etsnac (rlm_etsnac) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] = updated
Thu May 24 15:07:14 2018 : Debug: (9363) } # post-auth = updated
Thu May 24 15:07:14 2018 : Debug: (9363) Sent Access-Accept Id 184 from 192.168.1.200:1812 to 192.168.1.111:60091 length 0
Thu May 24 15:07:14 2018 : Debug: (9363) Filter-Id := "Enterasys:version=1:policy=Unregistered"
Thu May 24 15:07:14 2018 : Debug: (9363) Login-LAT-Port := "0"
Thu May 24 15:07:14 2018 : Debug: (9363) Finished request
Thu May 24 15:07:14 2018 : Debug: Thread 4 waiting to be assigned a request
Thu May 24 15:07:15 2018 : Debug: (9358) Cleaning up request packet ID 179 with timestamp +60857
Userlevel 4
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

Hello,

It may be easier if you contact the GTAC via phone to troubleshot this but NAC learns usernames from 802.1x or from a Captive Portal login (and in some cases via Kerberos). If the user in NAC has an Authentication Type of MAC Auth and the user did not login/register via NAC's Captive Portal yet, then there will be no username.

If the user "is" authentciaetd in NAC (RADIUS) and you see that user in the Report on the wireless controller, be sure the Unregistered Role is assigned All access to the network and to NAC is then dictated by the Role's polices and the Topology of the VNS etc.

Regards,

Scott Keene
NMS/NAC Support
Userlevel 5
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

Ilia, you roles are way off! You have to have at least two roles on controller named : Unregistered , “Guest Access”. Those are the default role names NAC will send back as non-auth and auth respectively. Unless you changed the policy mapping in Nac configuration, you have to have those roles.
Userlevel 5
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

Instead of creating roles by yourself, you can use Policy domain ‘Extreme Control’ , push it to controller, then you don’t need to strugle with roles. This domain will push all nessesary things you need for Nac integration. There is also XMC script available for integration with Nac - using combination of polocy domain push and script will make your life easier.
Userlevel 4
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

Hello, Yury,

do you mean this policy? Should I apply it to controller in NAC's console?



Thanks!
Userlevel 5
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

Yes , but looks like you have an old NMS where it was using ExtremeControl domain with PBR . For more then a year (I think starting from 8.0) we are using Role based redirection , therefore the policy domain is updated to that .
Userlevel 5
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

Userlevel 4
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

I have the same in 7.1...

It would be difficult to me to upgrade my XMC&NAC installation. Both works under Hyper-V. Are there any upgrade manuals? Does it possible to make direct upgrade from 7.1 to 8.x?

Also, in 7.1 applying policy to EWC in Switches tab on NAC console doesn't work. I choose any policy - Default or Extreme Control, click Apply and then OK, Enforce changes and after Policy Domain column is empty for EWC. What is it? A bug?
Userlevel 5
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

Yes , I believe you can directly upgrade from 7.1 to 8.0 , although please check Releats notes first .
But it's ok , you can create those roles manually on EWC - make sure the names of the roles are exactly "Unregistered" and "Guest Access" becouse that's what NAC send back by default.
Userlevel 4
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

Oh, Yury, I am so tired with Extreme N in general and with NAC in particular...

Could you please enlight me:

1) Where can I see setting for Guest Access and Unregistered roles to create them in V2110?
2) How can I make NAC to DO NOT SHIFT time to +1 hour. Every day I change it -1hr but in appromixately 12hrs it again sets it to +1 to local time. There is correct time in Hyper-V.
3) I've rebooted host with NAC, EMC and V2110. Now NAC is green in XMC, but amber in NAC console. When I open 192.168.1.200 I got long screen:



and then it fails with:



WTF????
Userlevel 5
Ostrovsky, Yury wrote:

The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

Just sent you email. We can follow up next week.

Reply