NAC captive portal shows endless "registration" after successful logon


Userlevel 4
Hello, team,

I configure interation of V2110 and NAC Captive portal. User database is an Active Directory.

When users joins SSID he us redirected to NAC's captive portal. If login&password are OK, user gets endless "registration".

At this moment I don't see the user in End-Systems in NAC. There are no logs and ideas how to find out what is a reason.

Please, take a look at my screens below if it may help. I can share all information required.



Please, share your ideas how to solve the issue!

Many thanks in advance,
Ilya

11 replies

Userlevel 1
Are you using the “redirect immediately” option in the network settings of the captive portal? If so, you have to be very specific in your unregistered policy’s allow rule for https. If it’s enabled, try disabling that to see if it addresses it.
Userlevel 4
Rodney Lacroix wrote:

Are you using the “redirect immediately” option in the network settings of the captive portal? If so, you have to be very specific in your unregistered policy’s allow rule for https. If it’s enabled, try disabling that to see if it addresses it.

Hi, Rodney,

could you please tell me where exactly in NAC interface could I check that?

"Network settings on the captive portal"?
Userlevel 1
Rodney Lacroix wrote:

Are you using the “redirect immediately” option in the network settings of the captive portal? If so, you have to be very specific in your unregistered policy’s allow rule for https. If it’s enabled, try disabling that to see if it addresses it.

Yes. There will be a checkbox for “redirect immediately.” I see you have “Force HTTPs” enabled so I assume your unregistered policy allows HTTPs. However, if you are broadly allowing https you can get into a loop where the client thinks it is registered but NAC thinks it is not, and vice verse. If that’s not enabled we need to look deeper.
Userlevel 4
Rodney Lacroix wrote:

Are you using the “redirect immediately” option in the network settings of the captive portal? If so, you have to be very specific in your unregistered policy’s allow rule for https. If it’s enabled, try disabling that to see if it addresses it.

I've found this checkbox, it's off.

You are right, HTTPS is allowed regardless a result of authentucation. I think how to block this.
Userlevel 6
Hello,

Make sure that the time between the EAC and EWC are within 300 seconds:

If the times are off by more than 300 seconds the controller will not accept the reauthentication request from NAC and the client will never move out of the Unregistered role:

GTACKnowledge - NAC End Systems Hung in Captive Portal

Thanks
-Ryan
Userlevel 4
Yacobucci, Ryan wrote:

Hello,

Make sure that the time between the EAC and EWC are within 300 seconds:

If the times are off by more than 300 seconds the controller will not accept the reauthentication request from NAC and the client will never move out of the Unregistered role:

GTACKnowledge - NAC End Systems Hung in Captive Portal

Thanks
-Ryan

Hello, Ryan,

it was synchronized. They have same NTP server now.
Userlevel 6
Yacobucci, Ryan wrote:

Hello,

Make sure that the time between the EAC and EWC are within 300 seconds:

If the times are off by more than 300 seconds the controller will not accept the reauthentication request from NAC and the client will never move out of the Unregistered role:

GTACKnowledge - NAC End Systems Hung in Captive Portal

Thanks
-Ryan

Did it fix the issue, or are you still stuck in endless registration?
Userlevel 4
Yacobucci, Ryan wrote:

Hello,

Make sure that the time between the EAC and EWC are within 300 seconds:

If the times are off by more than 300 seconds the controller will not accept the reauthentication request from NAC and the client will never move out of the Unregistered role:

GTACKnowledge - NAC End Systems Hung in Captive Portal

Thanks
-Ryan

This did not fix the issue. Registration process is still endless.
Userlevel 6
I'd suggest opening a ticket with GTAC. We would need to enable diagnostics and gather forensics to get an idea of what's going wrong.

Thanks
-Ryan
Userlevel 4
Yacobucci, Ryan wrote:

I'd suggest opening a ticket with GTAC. We would need to enable diagnostics and gather forensics to get an idea of what's going wrong.

Thanks
-Ryan

Hello, Ryan,

unfortunately, I can't do that. This is POV (Prove of Value) project for a customer who has already bought Netsight, but considering buying NAC.

So, I can't open GTAC case for NAC issues.
Userlevel 4
Yacobucci, Ryan wrote:

I'd suggest opening a ticket with GTAC. We would need to enable diagnostics and gather forensics to get an idea of what's going wrong.

Thanks
-Ryan

Hello Ryan,

even if there is no existing equipment/contract I'm sure that you will get support from Extremenetworks in this case.

You can get in touch also with your SE and Account Manager for this end customer.

Regards

Umut Aydin
Escalation Support Engineer

Reply