ExtremeCloud IQ- Site Engine & Extreme Management Center

Expand all | Collapse all

NAC RADIUS attributes for C35 controller running 10.01.04.0011

Ronald Dvorak

Ronald Dvorak10-31-2016 15:31

  • 1.  NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-28-2016 20:07
    We are in the process of migrating from WC4110 controllers to C35 controllers. We use NAC to authenticate the users against AD. This works perfectly on the older controllers. However, not working so well on the new controllers. Apparently there is a minor change needed to get the authentication working correctly.

    For the WC4110, we have them set up in a NAC appliance group:

    Switch type: Layer 2 O-O-B
    Primary gateway:


  • 2.  RE: NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-28-2016 20:20
    Hi Scott,

    you'd check why a rule doesn't hit.

    Right click on the client and select "configuration evaluation tool" and then in the next window click on "run evalution" - click on the rule for details - could you please post the output so we'd take a look.

    -Ron







  • 3.  RE: NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-28-2016 20:20
    Sorry I've missed the info that the rule fails because of the location group so just ignore the above post.


  • 4.  RE: NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-28-2016 20:23
    Could you please post a screenshot of the location group settings.


  • 5.  RE: NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-28-2016 20:23
    Sure thing. There are 4 switch entries here. My two old controllers .10 and .11, and my new C35's .14 and .15. This rule works as intended with .10 and 11 but does not trigger with .14 and 15 and so the users are authenticated against our default-catchall rule rather than this one as they should be.




  • 6.  RE: NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-28-2016 20:23
    Just a wild guess.... could it be that you've the admin port of the controller connected to the network and the controller is sending the RADIUS requests via that port = isn't using the 10.140.20.x address and the rule doesn't match


  • 7.  RE: NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-28-2016 20:23
    So here a example if you run the evalution tool (description above) and the rule fails because of a missmatch in the location group = request from the wrong IP.

    In the top section you'd see the source information of the request.
    Could you check/post that so we'd make sure that the request is coming from .14/.15 with the correct parameters.




  • 8.  RE: NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-31-2016 10:12
    Scott,

    Can you double-check the RADIUS set up on your C35 and post a screenshot? There was a bug in v10 of the wireless firmware so when adding a controller, the RADIUS server info was corrupted. Just want to make sure that did not bite you.



  • 9.  RE: NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-31-2016 10:12
    Sure, here you go. Radius from the old controller:



    And radius from the new controller:




  • 10.  RE: NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-31-2016 14:58
    The config evaluation tool kind of tells me what I was already starting to think. That the data being passed back from the new controller isn't the same as what's being passed back from the old controller.

    Here is where the NAC says I am failing the rule:

    PASSED: The Device Type of: MAC Address: AC:37:43:4A:B2:79, IP Address: 10.147.16.52, Host Name: android-ef3622142e1ba508 passes the any criteria evaluation.

    PASSED: The User: svanarts has LDAP attributes that match the ones defined in LDAP User Group: SJGH-LDAP-USERS.

    FAILED: The Switch IP of: 10.140.20.14, Port: SJGH-ENTERPRISE, SSID: null, AP Name: null, AP MAC: null, AP Serial: null and AP Zone or Group: null and AP Location: null did not match this inclusive criteria.

    Compare that with the old controller where I am passing the rule:

    PASSED: The User: svanarts has LDAP attributes that match the ones defined in LDAP User Group: SJGH-LDAP-USERS.

    PASSED: The Switch IP of 10.140.20.10, SSID: SJGH, AP Name: AP-272 MedStaff-Copy-Room-113, AP MAC: 20-B3-99-B6-7F-29, AP Serial: 13411855595D0000 and AP Zone or Group: null and AP Location: null did match this inclusive criteria.

    PASSED: The Time of: Monday, October 31, 2016 8:55:47 AM PDT passes the any criteria evaluation.
    PASSED: The Operating System Name of: passes the any criteria evaluation.

    So on the new controller I am not seeing the SSID or AP Name being passed back from the controller to the NAC.



  • 11.  RE: NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-31-2016 15:03
    Give me a sec I think I know what is going wrong - need to fire up my controller.


  • 12.  RE: NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-31-2016 15:12
    OK, in the controller on the Wirless Services click on the NAC that you've selected (NAC1 in my case - the field changes to gray) and then you'd click on RADIUS TLVs to configure which additional information the controller should send in the RADIUS request.
    Normaly I choose VNS Name, AP Name, SSID but you'd check what is set on the 4110 pair.

    Here my example...




  • 13.  RE: NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-31-2016 15:17
    just to make sure... the SSID on the C35 is named "SJGH" and not "SJGH-ENTERPRISE" because the location is set to "SJGH" as far as I'd see it from the screenshot.


  • 14.  RE: NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-31-2016 15:26
    Bingo! That was it. The RADIUS TLVs. Thank you very much!


  • 15.  RE: NAC RADIUS attributes for C35 controller running 10.01.04.0011

    Posted 10-31-2016 15:31
    Great, I'm glad I was able to help.