Header Only - DO NOT REMOVE - Extreme Networks

integrate wireless controller with NAC

  • 7 September 2017
  • 12 replies
  • 608 views

We have a c35 controller and netsight I am just trying right now to make a simple connection to the nac through a vns wlan service. I have set up the radius under authentication for the NAC. IN NAC manager I am able to verify the NAC connection. I have set up the AAA I believe correctly. When I try to connect a client I get a message on client wrong user name and password but in the logs of the controller I see a message that there is no Radius server available for WLAN. There has to be something I am missing but I have no idea what. I can send you what ever screen shots you may need to help. Thanks for any help. This has been very frustrating process.

12 replies

Userlevel 5
Did you set the correct Shared Secret on WLAN controller?
Yes, I have the same shared secret on the controller that I have under the credentials tab on the NAC Manager.
Userlevel 4
NTP on both correct?
CoA or NAC Integration is use on the Wireless COntroller?
Userlevel 6
Hello,

It sounds like you might be trying to set up an 802.1x WLAN service on the EWC? Is this correct?
If so, are you doing proxy RADIUS or LDAP authentication?

You said "username and password are correct" so I figured this isn't MAC authentication.

Thanks
-Ryan
Correct, I am wanting to authenticate to the local user name on the AAA settings directly on the NAC is that possible.
Userlevel 6
Hello,

It is possible to have NAC authenticate a user based on it's existence in the local password repository

See the following screenshot:



If this is posted and is too small to read I'll send it to a file share.

The top line would check any 802.1x request and if the username is "Username" it would attempt to authenticate it using the local password repository, so as long as the user exists there it would be successful.

The 2nd Line would send any username that has "Proxy"in the username to the Proxy RADIUS server 1.1.1.1.

The 3rd line would be used for all other authentications that did not pass the 1st and 2nd and attempt LDAP authentication.

You should be able to use the 1st line as an example of how to authenticate a user using the local password repository.

Thanks
-Ryan

"
Userlevel 6
Here is a link to the image as it's unreadable:
https://extremenetworks2com-my.sharepoint.com/personal/ryacobuc_extremenetworks_com/Documents/Shared...

Thanks
-Ryan
thank you, I believe I have that set correctly. I get a message on device that username and password is incorrect but the log on the controller shows No radius server available for WLAN service.

I have the NAC as the radius server on the controller and assigned to the WLAN. I have checked the shared secret many times and they are the same. I am obviously missing something between the controller and the NAC
Userlevel 6
Did you add the switch into the "Switches" tab in NAC Manager? Is the IP address in the switches tab the same IP address sourcing RADIUS traffic from the EWC?

Thanks
-Ryan
Yes, I have both wireless controllers added in the switches tab in NAC Manager and I am trying to set up the radius from the primary controller 10.1.8.30

Userlevel 6
We're at the point where it might be a good idea to open a ticket.

First thing GTAC should do is take a trace on the NAC appliance and see if the RADIUS request is being received, and if it's being responded to. The initial error message indicates there is a failure to process the packet.

You can take a trace on the NAC using tcpdump, and you can enable diagnostics in the NAC webview if you are comfortable with it. I would suggest Authentication Request Processing - NAC and Authentication Request Processing - RADIUS.

If you aren't comfortable I suggest submitting a ticket and speaking with GTAC.

Thanks
-Ryan
Thank you for your help. I have opened a ticket with GTAC.

Thanks

Reply