Wireless (General)

Expand all | Collapse all

Connected wireless clients are not shown in NAC's End-Systems

Ilya Semenov

Ilya Semenov05-22-2018 17:22

Ostrovsky, Yury

Ostrovsky, Yury05-23-2018 11:15

  • 1.  Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-22-2018 17:09
    Hello, team,

    I have Netsight (7.1.1.9), NAC (7.1.1.9) and V2110 (10.43) installation. Both NAC and V2110 were added to Netsight console using SNMP v3 and they are OK (green).

    Now I try to configure wireless users authorization through the NAC.

    The problem is wireless clients are not shown in NAC's End-Systems tab, but they are in Wireless tab. When they connect to SSID they get TO NAC's portal interface, then they pass authorization with they AD credentials and then NAC freezes with Endless registration. Experienced guys say: bring you clients to NAC's End-Systems tab first. How? They don't appear there.

    What most likely could be the problem?

    Many thanks in advance,
    Ilya



  • 2.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-22-2018 17:22
    Looks like you forgot to enable MAC-auth on WLAN service.


  • 3.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-22-2018 17:22
    Hello, Yury,

    I didn't.


  • 4.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-22-2018 17:24
    Hello,

    Be sure the wireless WLAN has RADIUS enabled and is pointed to the NAC appliance (and with the proper shared secret). The End System needs to show up in NAC Manager from RADIUS first, before the captive portal login can be attempted. If your user is not authenticated with RADIUS first, the the captive portal will not work..so in this case the Default "unauthenticated" behavior of the wireless controller should not redirect users to NAC's Captive Portal..ie, only the "authentciaetd" Role should do this.

    Regards,

    Scott Keene
    NMS/NAC Support


  • 5.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-22-2018 17:24
    Hello, Scott,

    The WLAN has RADIUS enabled and it is pointed to NAC with proper (default) shared secret.


  • 6.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 06:04
    Gentlemen,

    all answers with one screenshot below.

    1) MAC auth is on.
    2) NAC is the RADIUS server
    3) NAC and V2110 are connected to Netsight and both are OK.




  • 7.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 06:06
    Hi,
    As the Scott said RADIUS settings are crucial. If V2110 is added to Policy Domain and NAC and enforced then RADIUS settings should be populated in V2110. In addition make sure that both V2110 and NAC have time synchronized to let the wireless clients reauthentication to work - both appliances should use this same NTP server configruation.
    RegardsBartek


  • 8.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 06:09
    Did you add V2110 to NAC switch configurations tab? If not then it would never work...


  • 9.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 06:09
    After your advice I've added EWC to NAC to Switches tab. Still the same result - nothing in End-Systems and endless registration...


  • 10.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.


  • 11.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    Yury,

    is it enough?



    Before turning this on I had such messages in Radius Log:



    Does it make something clear?


  • 12.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    What is .1.111? Which port of EWC? Looks like the Radius request coming not from the port which NAC expecting. Peobably you added EWC with IP address of esa0 but your radius req coming from Admin port? Or something like that.


  • 13.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    You are right, 192.168.1.111 this is esa0 port. I want EWC and NAC interacting excactly from this port. ADmin port should not be used. Is it possible?


  • 14.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    Correct. If you have Admin port and using is somehow, make sure you route your radius packer correctly. The easiest way is just to stop using admin port at all - just put back the default IP on admin port, and manage your appliance from data port. Otherwize you need to fix the routing table on the controller.


  • 15.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    Btw, did you add .1.111 as a switch on NAC? For some reason your NAac complains that it does not recognize this IP address. That should be your NAS


  • 16.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    Hello, Yury,

    well, we are almost done. Many thanks to you and Bartek.

    I've added V2110 to Switches tab in NAC
    Corrected time on V2110 and NAC - now it's the same
    Changed V2110 interface to esa0

    Now I have clients in NAC's End-Systems!!!! But without UserNames, just IPs, MACs and Device Types

    Also,Clients are unable to access any resources, even gateway and NAC's address where authorization page is located. May be I should change something in ROles in V2110?

    NOw i have:


    ...and...





    In Radius Log on NAC I have:

    (9362) --- Request VPs ---
    (9362) User-Name = "446D572C278E"
    (9362) User-Password = ****************
    (9362) NAS-IP-Address = 127.0.0.1
    (9362) NAS-Port = 101
    (9362) NAS-Port-Type = Wireless-Other
    (9362) NAS-Identifier = "SupportVO"
    (9362) Siemens-AP-Serial = "15141805085D0000"
    (9362) Siemens-AP-Name = ****************
    (9362) Siemens-VNS-Name = "SupportVO"
    (9362) Siemens-SSID = "SupportVO"
    (9362) Siemens-BSS-MAC = "D88466272BF8"
    (9362) Siemens-Policy-Name = "Non Authenticated"
    (9362) Siemens-Topology-Name = "Bridged at AP untagged"
    (9362) Calling-Station-Id = "446D572C278E"
    (9362) Called-Station-Id = "D88466272BF8"
    (9362) Acct-Session-Id = "M1a00fbb90002"
    Thu May 24 15:07:13 2018 : Debug: (9362) [etsnac connection_mgr] Using authentication server connection ID: 31.
    Thu May 24 15:07:13 2018 : Info: (9362) [etsnac connection_mgr] AAA Response [ID: 9362, Command: Replace Response Attributes(0x27)]
    (9362) Filter-Id := "Enterasys:version=1:policy=Unregistered"
    (9362) Login-LAT-Port := "0"
    Thu May 24 15:07:13 2018 : Debug: (9362) [etsnac connection_mgr] Releasing authentication server connection ID: 31.
    Thu May 24 15:07:13 2018 : Debug: (9362) [etsnac] The AAA server says to replace the response attributes.
    Thu May 24 15:07:13 2018 : Debug: (9362) modsingle[post-auth]: returned from etsnac (rlm_etsnac) for request 9362
    Thu May 24 15:07:13 2018 : Debug: (9362) [etsnac] = updated
    Thu May 24 15:07:13 2018 : Debug: (9362) } # post-auth = updated
    Thu May 24 15:07:13 2018 : Debug: (9362) Sent Access-Accept Id 183 from 192.168.1.200:1812 to 192.168.1.111:40884 length 0
    Thu May 24 15:07:13 2018 : Debug: (9362) Filter-Id := "Enterasys:version=1:policy=Unregistered"
    Thu May 24 15:07:13 2018 : Debug: (9362) Login-LAT-Port := "0"
    Thu May 24 15:07:13 2018 : Debug: (9362) Finished request
    Thu May 24 15:07:13 2018 : Debug: Thread 2 waiting to be assigned a request
    Thu May 24 15:07:14 2018 : Debug: (9357) Cleaning up request packet ID 178 with timestamp +60856
    Thu May 24 15:07:14 2018 : Debug: Waking up in 0.8 seconds.
    Thu May 24 15:07:14 2018 : Debug: Waking up in 0.2 seconds.
    Thu May 24 15:07:14 2018 : Debug: Thread 4 got semaphore
    Thu May 24 15:07:14 2018 : Debug: Thread 4 handling request 9363, (1873 handled so far)
    Thu May 24 15:07:14 2018 : Debug: (9363) Received Access-Request Id 184 from 192.168.1.111:60091 to 192.168.1.200:1812 length 281
    Thu May 24 15:07:14 2018 : Debug: (9363) User-Name = "446D572C278E"
    Thu May 24 15:07:14 2018 : Debug: (9363) User-Password = "\366\362\245\000\224\ts\247\024\341u@\240\330u\222"
    Thu May 24 15:07:14 2018 : Debug: (9363) NAS-IP-Address = 127.0.0.1
    Thu May 24 15:07:14 2018 : Debug: (9363) NAS-Port = 101
    Thu May 24 15:07:14 2018 : Debug: (9363) NAS-Port-Type = Wireless-Other
    Thu May 24 15:07:14 2018 : Debug: (9363) NAS-Identifier = "SupportVO"
    Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-AP-Serial = "15141316085D0000"
    Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-AP-Name = "15141316085D0000"
    Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-VNS-Name = "SupportVO"
    Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-SSID = "SupportVO"
    Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-BSS-MAC = "D88466270D68"
    Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-Policy-Name = "Non Authenticated"
    Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-Topology-Name = "Bridged at AP untagged"
    Thu May 24 15:07:14 2018 : Debug: (9363) Calling-Station-Id = "446D572C278E"
    Thu May 24 15:07:14 2018 : Debug: (9363) Called-Station-Id = "D88466270D68"
    Thu May 24 15:07:14 2018 : Debug: (9363) Acct-Session-Id = "M1a00fc190002"
    Thu May 24 15:07:14 2018 : Debug: (9363) session-state: No State attribute
    Thu May 24 15:07:14 2018 : Debug: (9363) # Executing section authorize from file /opt/nac/radius/raddb/sites-enabled/nac-server
    Thu May 24 15:07:14 2018 : Debug: (9363) authorize {
    Thu May 24 15:07:14 2018 : Debug: (9363) update control {
    Thu May 24 15:07:14 2018 : Debug: (9363) EXPAND %{Calling-Station-Id}
    Thu May 24 15:07:14 2018 : Debug: (9363) --> 446D572C278E
    Thu May 24 15:07:14 2018 : Debug: (9363) Load-Balance-Key = 446D572C278E
    Thu May 24 15:07:14 2018 : Debug: (9363) } # update control = noop
    Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling etsnac (rlm_etsnac) for request 9363
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] *NOT* Continuing proxied conversation, skipping...
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Generated MAC 446d572c278e from Calling-Station-Id: 446D572C278E
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found username from: User-Name: 446D572C278E
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found User-Password attribute: 2, setting auth type to: PAP
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found switch ip from: NAS-IP-Address: 127.0.0.1
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Unable to fine existing NAC request manager instance.
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Making a new request to the AAA server for request ID: 9363
    Thu May 24 15:07:14 2018 : Info: (9363) [etsnac connection_mgr] AAA Request [ID: 9363, Source IP: 192.168.1.111, Command: Authenticate & Authorize Request(0x02)]
    (9363) --- Request VPs ---
    (9363) User-Name = "446D572C278E"
    (9363) User-Password = ****************
    (9363) NAS-IP-Address = 127.0.0.1
    (9363) NAS-Port = 101
    (9363) NAS-Port-Type = Wireless-Other
    (9363) NAS-Identifier = "SupportVO"
    (9363) Siemens-AP-Serial = "15141316085D0000"
    (9363) Siemens-AP-Name = ****************
    (9363) Siemens-VNS-Name = "SupportVO"
    (9363) Siemens-SSID = "SupportVO"
    (9363) Siemens-BSS-MAC = "D88466270D68"
    (9363) Siemens-Policy-Name = "Non Authenticated"
    (9363) Siemens-Topology-Name = "Bridged at AP untagged"
    (9363) Calling-Station-Id = "446D572C278E"
    (9363) Called-Station-Id = "D88466270D68"
    (9363) Acct-Session-Id = "M1a00fc190002"
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac connection_mgr] Using authentication server connection ID: 31.
    Thu May 24 15:07:14 2018 : Info: (9363) [etsnac connection_mgr] AAA Response [ID: 9363, Command: Accept User(0x22)]
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac connection_mgr] Releasing authentication server connection ID: 31.
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Unable to fine existing NAC request manager instance.
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] The AAA server says to accept the request.
    Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from etsnac (rlm_etsnac) for request 9363
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] = ok
    Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling chap (rlm_chap) for request 9363
    Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from chap (rlm_chap) for request 9363
    Thu May 24 15:07:14 2018 : Debug: (9363) [chap] = noop
    Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling mschap (rlm_mschap) for request 9363
    Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from mschap (rlm_mschap) for request 9363
    Thu May 24 15:07:14 2018 : Debug: (9363) [mschap] = noop
    Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling eap (rlm_eap) for request 9363
    Thu May 24 15:07:14 2018 : Debug: (9363) eap: No EAP-Message, not doing EAP
    Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from eap (rlm_eap) for request 9363
    Thu May 24 15:07:14 2018 : Debug: (9363) [eap] = noop
    Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling pap (rlm_pap) for request 9363
    Thu May 24 15:07:14 2018 : WARNING: (9363) pap: Auth-Type already set. Not setting to PAP
    Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from pap (rlm_pap) for request 9363
    Thu May 24 15:07:14 2018 : Debug: (9363) [pap] = noop
    Thu May 24 15:07:14 2018 : Debug: (9363) } # authorize = ok
    Thu May 24 15:07:14 2018 : Debug: (9363) Found Auth-Type = Accept
    Thu May 24 15:07:14 2018 : Debug: (9363) Auth-Type = Accept, accepting the user
    Thu May 24 15:07:14 2018 : Debug: (9363) # Executing section post-auth from file /opt/nac/radius/raddb/sites-enabled/nac-server
    Thu May 24 15:07:14 2018 : Debug: (9363) post-auth {
    Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[post-auth]: calling etsnac (rlm_etsnac) for request 9363
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] Processing Response-Packet-Type Access-Accept(2)
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] Not running EAP-TLS User-Name replacement for non EAP authentication
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Generated MAC 446d572c278e from Calling-Station-Id: 446D572C278E
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found username from: User-Name: 446D572C278E
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found User-Password attribute: 2, setting auth type to: PAP
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found switch ip from: NAS-IP-Address: 127.0.0.1
    Thu May 24 15:07:14 2018 : Info: (9363) [etsnac connection_mgr] AAA Request [ID: 9363, Source IP: 192.168.1.111, Command: Post Authorize Request(0x03)]
    (9363) --- Request VPs ---
    (9363) User-Name = "446D572C278E"
    (9363) User-Password = ****************
    (9363) NAS-IP-Address = 127.0.0.1
    (9363) NAS-Port = 101
    (9363) NAS-Port-Type = Wireless-Other
    (9363) NAS-Identifier = "SupportVO"
    (9363) Siemens-AP-Serial = "15141316085D0000"
    (9363) Siemens-AP-Name = ****************
    (9363) Siemens-VNS-Name = "SupportVO"
    (9363) Siemens-SSID = "SupportVO"
    (9363) Siemens-BSS-MAC = "D88466270D68"
    (9363) Siemens-Policy-Name = "Non Authenticated"
    (9363) Siemens-Topology-Name = "Bridged at AP untagged"
    (9363) Calling-Station-Id = "446D572C278E"
    (9363) Called-Station-Id = "D88466270D68"
    (9363) Acct-Session-Id = "M1a00fc190002"
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac connection_mgr] Using authentication server connection ID: 31.
    Thu May 24 15:07:14 2018 : Info: (9363) [etsnac connection_mgr] AAA Response [ID: 9363, Command: Replace Response Attributes(0x27)]
    (9363) Filter-Id := "Enterasys:version=1:policy=Unregistered"
    (9363) Login-LAT-Port := "0"
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac connection_mgr] Releasing authentication server connection ID: 31.
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] The AAA server says to replace the response attributes.
    Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[post-auth]: returned from etsnac (rlm_etsnac) for request 9363
    Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] = updated
    Thu May 24 15:07:14 2018 : Debug: (9363) } # post-auth = updated
    Thu May 24 15:07:14 2018 : Debug: (9363) Sent Access-Accept Id 184 from 192.168.1.200:1812 to 192.168.1.111:60091 length 0
    Thu May 24 15:07:14 2018 : Debug: (9363) Filter-Id := "Enterasys:version=1:policy=Unregistered"
    Thu May 24 15:07:14 2018 : Debug: (9363) Login-LAT-Port := "0"
    Thu May 24 15:07:14 2018 : Debug: (9363) Finished request
    Thu May 24 15:07:14 2018 : Debug: Thread 4 waiting to be assigned a request
    Thu May 24 15:07:15 2018 : Debug: (9358) Cleaning up request packet ID 179 with timestamp +60857



  • 17.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    Hello,

    It may be easier if you contact the GTAC via phone to troubleshot this but NAC learns usernames from 802.1x or from a Captive Portal login (and in some cases via Kerberos). If the user in NAC has an Authentication Type of MAC Auth and the user did not login/register via NAC's Captive Portal yet, then there will be no username.

    If the user "is" authentciaetd in NAC (RADIUS) and you see that user in the Report on the wireless controller, be sure the Unregistered Role is assigned All access to the network and to NAC is then dictated by the Role's polices and the Topology of the VNS etc.

    Regards,

    Scott Keene
    NMS/NAC Support


  • 18.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    Ilia, you roles are way off! You have to have at least two roles on controller named : Unregistered , “Guest Access”. Those are the default role names NAC will send back as non-auth and auth respectively. Unless you changed the policy mapping in Nac configuration, you have to have those roles.


  • 19.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    Instead of creating roles by yourself, you can use Policy domain ‘Extreme Control’ , push it to controller, then you don’t need to strugle with roles. This domain will push all nessesary things you need for Nac integration. There is also XMC script available for integration with Nac - using combination of polocy domain push and script will make your life easier.


  • 20.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    Hello, Yury,

    do you mean this policy? Should I apply it to controller in NAC's console?



    Thanks!



  • 21.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    Yes , but looks like you have an old NMS where it was using ExtremeControl domain with PBR . For more then a year (I think starting from 8.0) we are using Role based redirection , therefore the policy domain is updated to that .



  • 22.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15




  • 23.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    I have the same in 7.1...

    It would be difficult to me to upgrade my XMC&NAC installation. Both works under Hyper-V. Are there any upgrade manuals? Does it possible to make direct upgrade from 7.1 to 8.x?

    Also, in 7.1 applying policy to EWC in Switches tab on NAC console doesn't work. I choose any policy - Default or Extreme Control, click Apply and then OK, Enforce changes and after Policy Domain column is empty for EWC. What is it? A bug?


  • 24.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    Yes , I believe you can directly upgrade from 7.1 to 8.0 , although please check Releats notes first .
    But it's ok , you can create those roles manually on EWC - make sure the names of the roles are exactly "Unregistered" and "Guest Access" becouse that's what NAC send back by default.


  • 25.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    Oh, Yury, I am so tired with Extreme N in general and with NAC in particular...

    Could you please enlight me:

    1) Where can I see setting for Guest Access and Unregistered roles to create them in V2110?
    2) How can I make NAC to DO NOT SHIFT time to +1 hour. Every day I change it -1hr but in appromixately 12hrs it again sets it to +1 to local time. There is correct time in Hyper-V.
    3) I've rebooted host with NAC, EMC and V2110. Now NAC is green in XMC, but amber in NAC console. When I open 192.168.1.200 I got long screen:



    and then it fails with:



    WTF????



  • 26.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    Just sent you email. We can follow up next week.


  • 27.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    Didn't get any emails. Could you please copy it to iliyasemenov@mail.ru?

    The previous post was a bit emotional, excuse me.


  • 28.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-23-2018 11:15
    You should be getting email by now. Let me know if not.


  • 29.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-24-2018 17:13
    For what kind of users is that WLAN service ?
    If they are in the internal AD I'd assume they are staff.
    In that case why not just use PEAP/NAC instead of the NAC portal.


  • 30.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-24-2018 17:13
    Ron, are you kidding?

    The main goal is to sell NAC.

    Now the customer has a beautiful web page on Fortigate, where users input their AD credentials. It is impossible to create it on V2110. IMPOSSIBLE.


  • 31.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-24-2018 17:13
    Nope no joke....

    My question is whether this additional step is needed.
    I also use NAC to authenticate my internal/staff clients but why via a portal if username/password authentication is build into the client = 802.1X PEAP via NAC/LDAP.

    I'd unterstand if you'd like to authenticate older devices that sometimes don't support PEAP and then choose a portal or for guest portal access but not if the clients support PEAP and they are internal/staff = in the AD.

    I.e. my rule....


    Only a user with 802.1X auth, in the AD group WLAN, in the MAC list Ron, on the SSID Secure Access is able to get this Policy/Role and is able to connect.

    The use of 802.1X also makes sure that the connection AP<->Client is encrypted.

    Could be that I don't unterstand the design requirement - that was the reason for my question.


  • 32.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-24-2018 17:13
    Ron, I am not following you...

    What additional step you are talking about?

    University students and staff have to input their credentials manually on NAC portal by hands, SSO is not needed. They have to see portal interface and links on it.

    Sense of your rule is not clear for me, I just make my first steps with NAC.

    Thank you...


  • 33.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-24-2018 17:13
    I'd like to be honest with you.... I don't think that someone is able to configure NAC successfully without attending the official training first.

    The system is far too comprehensive to know how/where to configure the different parameters/options.
    The system could do A LOT but you'd need to be trained to know how and that is IMHO nothing that you'd learn in a forum post.

    Back in 2014 I've took the training and it was 4 weeks (NAC, Policy Manager, BYOD, Netsight) and even after that it took me some playing around in my lab to get a better unterstanding how everthing works (now it's only two weeks = XMC, NAC).

    So my best advise is to attend the training or pay someone to do the installation for you and use that as hands on training to learn about the system.


  • 34.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-24-2018 17:13
    There are no training and experts in NAC in Russia. I am engineer of a partner company, not a customer. I am totally broken. Now appliance is amber in console, but green in XMC. Nothing works. Vicious circle.


  • 35.  RE: Connected wireless clients are not shown in NAC's End-Systems

    Posted 05-24-2018 17:13
    Ilya: what encryption is your Wifi network using? Is changing it to WPA2-Enterprise not an option?