Header Only - DO NOT REMOVE - Extreme Networks

NAC portal for wifi-users: UserNames are not displayed in XMC>>Wirelles>>Clients


Userlevel 4
Hello, team,

I've partially configured V2110&NAC integration. There is a webportal on NAC, where wireless users login using their AD credentials.

The main goal of this configuration was to get an ability to see AD usernames in XMC >> Wireless >> Clients.

But now I see just IPs, MACs, Device Types and nothing more for authorized clients. How can I fix it?

Also, I've experienced the following issues during authorization process:

1) When I use iPhone to connect to SSID, it gets me to the NAC's webportal, but it is displayed just about 10 seconds. If I input credentials in this time, everything is ok I get registration, if I input it more than 10 sec, iphone brings me back to SSIDs list. WTF? With Nokia Lumia 950 it works perfectly well without time limits.
2) When I use Windows 10 laptop I get "Endless registration" on NAC webportal in browser, but in spite of this, I get access to network also.

What should I do to fix it?

1) I need to have enough time to input credentials on Apples
2) I want to avoid "Endless registration" message on laptops.

Please, help!

Many thanks in advance,
Ilya

There are some logs&pics below:



It's for Endless registration from laptop:

7 replies

Userlevel 5
Hello Ilya,

first of all according my experience IPhones have to reach the Gateway during DHCP, if not there are problems while getting the ipaddress. If the Gateway communicated in the DHCP offer is not present in the network the DORA process is completed but the IPhone will not use the ip address.

For your problem 2 (endless registration): Maybe this screws will help:
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-decrease-delay-between-Registration...

Best regards
Stephan
Userlevel 6
Hello,

1. Extreme Management Center --> wireless --> clients will provide information that was obtained from the Controller. Unless the controller has a client that is doing 802.1x, which provides the username within the authentication protocol, you will not see the username here.

The captive portal is held on the NAC appliance and this information will be seen in the Control --> End Systems tab, but the EWC does not have any knowledge that the client has been through a captive protal, does not know what credentials have been provided, so it cannot display them.

2. What version of iOS? Are all version affected?

3. As far as "Endless registration" is concerned, check the Control captive portal options and see what the redirection configurations are set to. Are they set to use the users requested URL?

The workflow should be the following:

User puts in credentials and hits register
Browser is set to send requests to the NAC waiting for a message to tell it to proceed
When the client has been registered NAC will respond with a transition.jsp script to indicate to the client that they should move on to the next page.

If the client doesn't have connectivity to NAC in the role that has been provided by registration then the client will never receive the instruction to transition.

Try setting the "redirect immediately" option in the captive portal option. This will have the client test to internet connectivity to trigger the transition rather than wait for the NAC.

4. You have provided freeRADIUS debug, we'll need different debug to see what's going on.
Enable debug for Captive portal in the debug screen and send in the tag.log

Captive Portal --> Display
Captive Portal --> Registration and Remediation

Thanks
-Ryan
Userlevel 4
Hello, Ryan,

many thanks for your response. Could you please enlight me in some details?

1. Are there any ways to implement authentication using NAC where I will be see AD's UserName in XMC Wireless>Clients? What should be configured? Now I have:



and...



2. I've test just my own Iphone6 with iOS 11.3. Tomorrow I'll test some other apples.

3. OK, I've set "redirect immideately" - I'll check it tomorrow too.



4. I've provided debug from NAC's admin page log. I do not use freeradius. Also, I've not found how to do this:

"Enable debug for Captive portal in the debug screen and send in the tag.log

Captive Portal --> Display
Captive Portal --> Registration and Remediation"

I've this enabled:



Ryan, I willingly send any part of my conf if it could clear the situation. Many thanks to you!
Userlevel 6
Hello,

1. If you changed the WLAN service mode to be 802.1x you will be able to see the username in the XMC Wireless --> Clients section.

This will cause a fundamental change in authentication requiring the end systems to complete 802.1x authentication. This is likely not a configuration change you want to make as you have a captive portal configuration.

You can configured 802.1x and captive portal at the same time, but this causes the client to have to login twice in order to get on the network, which is redundant.

2 --> waiting for results

3 --> waiting for results

4. Enable debug for:
Captive Portal - Display
Captive Portal - Registration and Remediation

Authentication Request Processing - NAC

Once you enable the debug delete the client and attempt to register.

Once you have completed the test disable the diagnostics and send in the /var/log/tag.log and export the end system events.

I would suggest a GTAC case for this 🙂

Thanks
-Ryan
Userlevel 4
Yacobucci, Ryan wrote:

Hello,

1. If you changed the WLAN service mode to be 802.1x you will be able to see the username in the XMC Wireless --> Clients section.

This will cause a fundamental change in authentication requiring the end systems to complete 802.1x authentication. This is likely not a configuration change you want to make as you have a captive portal configuration.

You can configured 802.1x and captive portal at the same time, but this causes the client to have to login twice in order to get on the network, which is redundant.

2 --> waiting for results

3 --> waiting for results

4. Enable debug for:
Captive Portal - Display
Captive Portal - Registration and Remediation

Authentication Request Processing - NAC

Once you enable the debug delete the client and attempt to register.

Once you have completed the test disable the diagnostics and send in the /var/log/tag.log and export the end system events.

I would suggest a GTAC case for this 🙂

Thanks
-Ryan

Hello, Ryan,

a Kind Man has consulted me today - it's seems that there was kind of misunderstanding.

Usernames have appeared in NAC>End-Systems, but have not appeared in Wireless>Clients - and it is expected behavior. That is sad.

So, the only thing remains to correct is the Endless registration on Windows 10 laptops. Tomorrow I'll check this issue with different Windows versions.

Thanks for your help!
Userlevel 6
Hi

another reason for the described behavior can be short DHCP lease time or the user roams from one AP to another. Is the client stable on the wireless AP or it does roam and roam and roam?
Userlevel 4
Pala, Zdenek wrote:

Hi

another reason for the described behavior can be short DHCP lease time or the user roams from one AP to another. Is the client stable on the wireless AP or it does roam and roam and roam?

Clients are stable, Zdenek. Thanks.

Reply