Connected wireless clients are not shown in NAC's End-Systems

  • 0
  • 1
  • Question
  • Updated 4 weeks ago
  • Answered
Hello, team,

I have Netsight (7.1.1.9), NAC (7.1.1.9) and V2110 (10.43) installation. Both NAC and V2110 were added to Netsight console using SNMP v3 and they are OK (green).

Now I try to configure wireless users authorization through the NAC.

The problem is wireless clients are not shown in NAC's End-Systems tab, but they are in Wireless tab. When they connect to SSID they get TO NAC's portal interface, then they pass authorization with they AD credentials and then NAC freezes with Endless registration. Experienced guys say: bring you clients to NAC's End-Systems tab first. How? They don't appear there.

What most likely could be the problem?


Many thanks in advance,
Ilya



 
Photo of Ilya Semenov

Ilya Semenov

  • 4,408 Points 4k badge 2x thumb

Posted 1 month ago

  • 0
  • 1
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
Looks like you forgot to enable MAC-auth on WLAN service. 
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb
Hello, Yury,

I didn't.
Photo of Keene, Scott

Keene, Scott, Employee NMS/GTAC

  • 1,388 Points 1k badge 2x thumb
Hello,

Be sure the wireless WLAN has RADIUS enabled and is pointed to the NAC appliance (and with the proper shared secret).  The End System needs to show up in NAC Manager from RADIUS first, before the captive portal login can be attempted.  If your user is not authenticated with RADIUS first, the the captive portal will not work..so in this case the Default "unauthenticated" behavior of the wireless controller should not redirect users to NAC's Captive Portal..ie, only the "authentciaetd" Role should do this.



Regards,

Scott Keene
NMS/NAC Support
Photo of Ilya Semenov

Ilya Semenov

  • 4,408 Points 4k badge 2x thumb
Hello, Scott,

The WLAN has RADIUS enabled and it is pointed to NAC with proper (default) shared secret.
Photo of Ilya Semenov

Ilya Semenov

  • 4,408 Points 4k badge 2x thumb
Gentlemen,

all answers with one screenshot below.

1) MAC auth is on.
2) NAC is the RADIUS server
3) NAC and V2110 are connected to Netsight and both are OK.

Photo of Bartek

Bartek

  • 140 Points 100 badge 2x thumb
Hi,
As the Scott said RADIUS settings are crucial. If V2110 is added to Policy Domain and NAC and enforced then RADIUS settings should be populated in V2110. In addition make sure that both V2110 and NAC have time synchronized to let the wireless clients reauthentication to work - both appliances should use this same NTP server configruation.
RegardsBartek
Photo of Bartek

Bartek

  • 140 Points 100 badge 2x thumb
Did you add V2110 to NAC switch configurations tab? If not then it would never work...
(Edited)
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb
After your advice I've added EWC to NAC to Switches tab. Still the same result - nothing in End-Systems and endless registration...
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
Yes , I believe you can directly upgrade from 7.1 to 8.0 , although please check Releats notes first . 
But it's ok , you can create those roles manually on EWC - make sure the names of the roles are exactly "Unregistered" and "Guest Access" becouse that's what NAC send back by default. 
Photo of Ilya Semenov

Ilya Semenov

  • 4,330 Points 4k badge 2x thumb
Oh, Yury, I am so tired with Extreme N in general and with NAC in particular...

Could you please enlight me:

1) Where can I see setting for Guest Access and Unregistered roles to create them in V2110?
2) How can I make NAC to DO NOT SHIFT time to +1 hour. Every day I change it -1hr but in appromixately 12hrs it again sets it to +1 to local time. There is correct time in Hyper-V.
3) I've rebooted host with NAC, EMC and V2110. Now NAC is green in XMC, but amber in NAC console. When I open 192.168.1.200 I got long screen:



and then it fails with:



WTF????
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
Just sent you email. We can follow up next week.
Photo of Ilya Semenov

Ilya Semenov

  • 4,330 Points 4k badge 2x thumb
Didn't get any emails. Could you please copy it to iliyasemenov@mail.ru?

The previous post was a bit emotional, excuse me.
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
You should be getting email by now. Let me know if not.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,286 Points 20k badge 2x thumb
For what kind of users is that WLAN service ?
If they are in the internal AD I'd assume they are staff.
In that case why not just use PEAP/NAC instead of the NAC portal.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,286 Points 20k badge 2x thumb
Nope no joke....

My question is whether this additional step is needed.
I also use NAC to authenticate my internal/staff clients but why via a portal if username/password authentication is build into the client = 802.1X PEAP via NAC/LDAP.

I'd unterstand if you'd like to authenticate older devices that sometimes don't support PEAP and then choose a portal or for guest portal access but not if the clients support PEAP and they are internal/staff = in the AD.


I.e. my rule....

Only a user with 802.1X auth, in the AD group WLAN, in the MAC list Ron, on the SSID Secure Access is able to get this Policy/Role and is able to connect.

The use of 802.1X also makes sure that the connection AP<->Client is encrypted.

Could be that I don't unterstand the design requirement - that was the reason for my question.
Photo of Ilya Semenov

Ilya Semenov

  • 4,408 Points 4k badge 2x thumb
Ron, I am not following you...

What additional step you are talking about?

University students and staff have to input their credentials manually on NAC portal by hands, SSO is not needed. They have to see portal interface and links on it.

Sense of your rule is not clear for me, I just make my first steps with NAC. 

Thank you...
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,286 Points 20k badge 2x thumb
I'd like to be honest with you....  I don't think that someone is able to configure NAC successfully without attending the official training first.

The system is far too comprehensive to know how/where to configure the different parameters/options.
The system could do A LOT but you'd need to be trained to know how and that is IMHO nothing that you'd learn in a forum post.

Back in 2014 I've took the training and it was 4 weeks (NAC, Policy Manager, BYOD, Netsight) and even after that it took me some playing around in my lab to get a better unterstanding how everthing works (now it's only two weeks = XMC, NAC).

So my best advise is to attend the training or pay someone to do the installation for you and use that as hands on training to learn about the system.
Photo of Ilya Semenov

Ilya Semenov

  • 4,408 Points 4k badge 2x thumb
There are no training and experts in NAC in Russia. I am engineer of a partner company, not a customer. I am totally broken. Now appliance is amber in console, but green in XMC. Nothing works. Vicious circle.
(Edited)
Photo of James A

James A, Embassador

  • 6,542 Points 5k badge 2x thumb
Ilya: what encryption is your Wifi network using? Is changing it to WPA2-Enterprise not an option?