NAC&V2110: unable to change from Admin port to esa0 IP


Userlevel 4
Hello, team,

I try to follow this article:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Configure-WLAN-Service-For-NAC-Exte...

...and I can't do this:
  • EWC Connection: Change from Admin port IP (192.168.10.1) to esa0 IP
IP-address on esa0 was assigned, but I can't select it here - it's absent and only Admin IP is available. Why?

Many thanks in advance,

Ilya

23 replies

Userlevel 7
What mode is the ESA0 topology.... physical ?!
Userlevel 4
Ron wrote:

What mode is the ESA0 topology.... physical ?!

Hi, Ron,

No, its@EWC. It is OK?
Userlevel 7
Ron wrote:

What mode is the ESA0 topology.... physical ?!

No, in my pull down I only have physical or the admin port, all my bridge@EWC are not listed - so it looks like only physical is supported.
Userlevel 3
Ron wrote:

What mode is the ESA0 topology.... physical ?!

It is recommended to be type "Physical". That's the port that you "normally" have AP Registration and Management enabled for and that your Default Gateway under "Routing Protocols" is typically defined based on.

Things may "work" with it configured at B@EWC ... but it's not best practice and could potentially lead to trouble/issues.
Userlevel 4
Ron wrote:

What mode is the ESA0 topology.... physical ?!

Ron, you were right, I've changed it to Physical and it is available now. But redirection doesn't work =))

The NAC URL is accessible from wireless clients, but I don't get to the NAC page automatically during connection process.

Any ideas, gentlemen?
Userlevel 5
Ron wrote:

What mode is the ESA0 topology.... physical ?!

As I mentioned - use FF-ECP, emable "Role Based Redirection" , configure your "Unregistered" Role with HTTP/HTTPS action : redirect ; on Uregistered Role Default page set "redirect to WLAN own" . On WLAN enable "FF-ECP", enter the URL link to NAC page (http or https).
Userlevel 4
Ron wrote:

What mode is the ESA0 topology.... physical ?!

Yury, I have v10, but there is not Role Based Redirection in VNS > Global.

I've changed to FF-Extrenal but it doesn't work even in preview. I'll do some screens...
Userlevel 5
Ron wrote:

What mode is the ESA0 topology.... physical ?!

Ok , VNS-->Global-->Filtering Mode -->Rule Based Redirection , there is a check box.
Then go to Roles -->Unregistered , add a Rules : HTTP (to 0.0.0/0:80) and HTTPS , action = Redirect , on Role Dafault Action : redirection : Own WLAN.
Userlevel 5
Ron wrote:

What mode is the ESA0 topology.... physical ?!

btw , forget to mention - the br@AP will work only with 38xx and 39xx series . The 37xx you would still need to tunnel back to the controller (br@EWC mode)
Userlevel 4
Ron wrote:

What mode is the ESA0 topology.... physical ?!

Yury, I have 10.01.02.38 and there is no such menu in Global. My APs are 3805. Please, have a look. Also, in FF-External it uses Admin interface, instead of Physical - and it could not be changed.

Userlevel 5
Ron wrote:

What mode is the ESA0 topology.... physical ?!

You are using 10.01 , this is a GA more the two years old I believe . Please upgrade it to 10.41 . Or 10.31 at least .The feature we are talking about (role based redirect , redirect at AP) was introduced in 10.11.
If it's VM , don't forget to change the disk to "para-virtual" as per release notes.
Userlevel 4
Ron wrote:

What mode is the ESA0 topology.... physical ?!

Yury, it's done. After the upgrade I did exactly as you've said. Now, after connection I open browser and trying to access whatever get to NAC page!!! Thanks a lot!

So, do you have an article about further NAC customization. I enter my AD credentials, they are accepted, but there is still no access for me.

Please, look:



How may I make NAC authorize me?

Many thanks to you, Yury!
Userlevel 5
Ron wrote:

What mode is the ESA0 topology.... physical ?!

I am not sure I got it correctly . WHen you say "NAC customization" is that about the web page customization or access control ? If latter , then I need to know few things .
First - as I understand , you are using your Captive portal BYOD (Authenticated Registration) option which will make a lookup back to your LDAP (Windows AD) . So , when the user enters the credentials (which exists in your AD) , the NAC will be changing policy from "Unregistered" to "Guest Access" (by default , unless you changed it) . YOu need to check couple of things : 1. On the End-Systems page , do you see that the Profile of the user changed to Guest Access ? If not , we would need to stop here and figure out why .If yes , then the next step -2. check on the Wireless Controller (Report page , the one with the client) if the customer get corresponded Role (Guest Access) . If not , then it would mean one of the thing - it is either this Role does no exist on WIreless Controller , or you have an issue with time sync. For the latter please check that both - controller and NAC has exactly the same time - the best point it to the same NTP server. If time is not in-sync , controller refuse the CoA change and role will stay the same.
Userlevel 4
Ron wrote:

What mode is the ESA0 topology.... physical ?!

Hello, Yury!

First of all, thank you very much for such detailed response. Unfortunately, at the moment I can't give you all answers cause I am far away from my demo installation and have remote access only.

So, what I can say right now?

My primary task is to change autorization portal from Fortigate's to Extreme NAC's and it's almost done. There are a few interface things which still unclear, but I hope we'll solve them=)

Then, I want to make NAC to make lookups to my LDAP (Active Directory). And it's done.

I can say that two things above work in connection, but not 100% correct.

Details:

After connection to SSID is established, I try to open any website in browser and get to NAC's portal page.

There is a question: https://nac/main - is it correct URL for redirection? Cause I've set exactly this page...

Regardless correct it or not, on a client side I see this (everything below demostrated for wired client, but from a wireless client I see the same):



(Black text on foreground is a disgusting thing - I don't know now to remove that)

So, If I input wrong password I get:



If I enter correct login/password I get:



After I tick "Agree" and click "Complete registration" I get endless "Network Registration in Progress..."



There are my questions:

1) Actually, I want just to give users Internet access after successful login without any "Policy Acceptance" - let they get a page they have requested. How can I get that?

2) How can I remove black text in foreground "You have been denied network access because your device is not currently registered to the network. bla-bla-bla..."?

3) Are there any ways to make NAC's portal page appear automatically without manual browser opening by user? Like in 100% airports and hotels are...?

Many thanks to you, Yury...
Userlevel 5
Ron wrote:

What mode is the ESA0 topology.... physical ?!

- For Policy Acceptance - do you mean to read AUP? YOu can disable that.
- the message "you have been denied" - I believe you can go to "look&feel' and "Launch Message string editor" where you can modify/remove all possible messages
- For the auto-login , on wireless controller - VNS - global setting - "client auto-login" , set to "Redirect detection messages to Captive Portal " (the dafault is "Hide" I think). Most of the clients (iOS , Android , MAC , Win10) will show you the pop-up .On some old clients like Win7 and XP you might still need to open the browser
- If the client is "stack" upon authentication , it means something is no working right. As I mentioned earlier - check what role client get - should be "Guest access" or something else (if you configure your rule engine) , but not Unregistered.
For the http:/nac/main - I believe starting from 8.0 (or 8.1?) you don't need to define the full path , just keep the IP address of the appliance itself , it will detect where need to be redirected.
Userlevel 4
Ron wrote:

What mode is the ESA0 topology.... physical ?!

Hello, Yury,

thanks for your reply.

At this point I didn't configured any NAC profiles. Only at V2110 side (Authenticated/Non-Authenticated). Should I configure NAC profiles? My NAC version is 7.1.1.9.

If I switch to "Redirect detection messages to the Captive Portal", will it affect all SSIDs? Are there any side effects?

Are there any ways to troublehoot endless registration? Any logs? During this process there are no clients in Endpoints. But this for wired and with non-Summit switches.

Thank you very much, Yury!
Userlevel 5
Ron wrote:

What mode is the ESA0 topology.... physical ?!

If you enable Captive Portal on NAC (and you did) that should be enough. Since you don’t see the clients in end-system table check two things : 1. Did you enable MAC-auth on WLAN ? If not please do it. 2. Check the Radius server shared secret is correct For redirect , yes it is global setting and will affect all Captive Portal VNS’s configured on controller. There are no side affects, only pop-up on client 🙂 Btw, your non-auth and auth does not matter, in your case NAC is the master abd controling what roles are assigned (via sending Filter-ID back to controler)
Userlevel 4
Ron wrote:

What mode is the ESA0 topology.... physical ?!

Hello, Yury,

Should NAC be the RADIUS server or who? If NAC, where can I set shared secret on NAC's side? I didn't find such place.

On NAC's side I have only this and AD authorization works fine through portal. Is it OK?





Thank you very much!
Userlevel 5
Ron wrote:

What mode is the ESA0 topology.... physical ?!

The shared secret is in Appliance setting, Credential. The default is ETS_TAG_SHARED_SECRET but you can change it. And yes, you have to add your NAC to wireless controller as Radius server, and enable mac-auth on wlan.
Userlevel 4
Ron wrote:

What mode is the ESA0 topology.... physical ?!

I found it, thanks. Default protocol matters? PAP or...MS-CHAP?
Userlevel 5
Ilia , you don't need to use "External" fore redirect. Just use "FF-External" , so you dont need to worry about ports . We keep "External" as an option only as legacy option, just to make sure if the config upgraded from old controllers it will keep working the same way. FF-ECP is way better feature
Userlevel 4
Ostrovsky, Yury wrote:

Ilia , you don't need to use "External" fore redirect. Just use "FF-External" , so you dont need to worry about ports . We keep "External" as an option only as legacy option, just to make sure if the config upgraded from old controllers it will keep working the same way. FF-ECP is way better feature

Hello, Yury,

Are you really sure that I have to change it to FF-External?

I've configured connection to LDAP from NAC and almost done with HTML.

But i've no idea what to do next?

I need just authorize users in AD though NAC web page....
Userlevel 5
Ostrovsky, Yury wrote:

Ilia , you don't need to use "External" fore redirect. Just use "FF-External" , so you dont need to worry about ports . We keep "External" as an option only as legacy option, just to make sure if the config upgraded from old controllers it will keep working the same way. FF-ECP is way better feature

you "don't have to " 🙂 Just FF-ECP is a better feature . If you using br@AP as user's topology , then you have to use FF-ECP (External will not work) . If the controller is v10 then enable "Role Based Redirection" (global option on VNS) . The redirection can be done on Role/Rule.

Reply