802.1 X AD Auth with Nacmanager 8.1.1.41 and EWC 10.41 dont ́t work

  • 0
  • 1
  • Problem
  • Updated 6 months ago
  • Solved

I want to bring a new installed EWC and NAC Manager with the last Firmware together and activate 802.1 X on a special SSID

i have configured . shared Secret /LDAP Connection and so on
 and all the other things on both sides.

When a wirless Client try to connect there is into the nac manager console only to see :

 Failing proxied request for user "XXXXXX@itgnt.local", due to lack of any response from home server 192.168.44.8 port 1812 

and

Unable to contact RADIUS server: 192.168.44.8 


But this IP is the Radius Server himself !! Why has the nacmanager a problem to contact his own radius Server ?


When I mak the test with Radius on the VNS of the Wireless Controller then comes :

The Radius Server did not authenticate the user TEST123 on ITGNTAD VNS.
Error: RADIUS_CLIENT_INTERNAL_ERROR.


If you ask.. of course i have restartet the nac manager appliance 3 or 4 times..

Who could give me some Tips for Troubleshooting ?

Regarrds

Christian

Photo of info@systemhaus-genthin.de

Posted 6 months ago

  • 0
  • 1
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
Hi Christian, on AAA default , advanced - what did you set as your default auth? LDAP? Or Radius Proxy?
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
And, btw , did you use the default shared secret (ETS_TAG_SHARED_SECRET) or you changed it to something else (on both sides)?

Hello Yury,

i tried first time to deal with the html  "Surface" .. Now i found  the Point that i can Switch to "Advanced" Mode and  the window changed. .
What is the right order ?

Of Course Radius Secret is changed .. i have an other SSID which is doing mac Auth for some devices Without Security and this works fine


Look at the Picture . . how should the order of Auth methods be ?



Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
Looks correct to me . Try to see the logs - ssh to NAC appliance and tail -f /var/log/radius/radius.log to see what is complaining about. 
Btw , if you going to use 802.1X authentication on the wireless and your LDAP is Windows AD , you need to make sure that NAC did "join" the domain . To check that , issue the command "wbinfo -t" from the ssh , you should see if the appliance successfully joined the domain (it should be just one line as the output with Success meaning in it) . If it spits you a bunch of line with with errors - e.g. "cannot find domain " etc... then you need to fix that first. 
THX i will try this next day

but  BTW.. we have customers Using 3 or 4 Windows Domains with a extreme wireless solution, what can i do if i have 2 or more Windows Domains and i need LDAP Auth ?

Chris
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
Are those AD independant or they have trust relashionship?