Wireless DNS Proxy NAC (Captive Portal) via Eth1

  • 0
  • 1
  • Question
  • Updated 5 months ago
  • Answered
  • (Edited)
Hi,

Do you know if DNS Proxy is supported on Eth1 via NAC?

The reason this is required is that we have a Guest wireless bridged directly out the second interface on a pair of wireless controllers to a a dedicated DMZ network for Guest internet traffic only.

Currently we have a pair of NAC appliances whom Eth1 interfaces are in the Guest DMZ network.

Currently I have this working by redirecting to Captive Portal using controller based redirect with the redirect URL pointing to the IP address of one of the NAC appliances.

The reason I have to change this to DNS proxy is that although I have some load balancers available that would support fail-over to either of the NAC's, these do not have direct access to the internal DNS servers in the DMZ network to resolve any URLs I send to them.

With the use of the Load Balancers I just need to configure the controller based redirect to point to a single URL that points to the load balancers, which in turn resolves to either of the NAC devices (via an internal DNS) dependant on which NAC is available. 

The problem I have is that in this particular case I'm not able to plum in the DNS directly into the DMZ network so I have nothing to resolve too, so will need to be reliant on DNS Proxy.

Have confiugred DNS proxy as per the following GTAC article:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Redirect-Traffic-to-NAC-Using-Proxy...

If I connect to the Guest Wireless I don't get redirected to captive portal, although if I put in the IP address of the NAC device in the client you get the captive portal.

In addition if I put in a URL it does get resolved to the correct IP instead of the NACs, so just seems to be a problem with DNS proxy not doing its job and replacing the IP address of the URL with NAC's instead to display the captive portal page.

My concern is that I need an option on the Eth1 interface that is greyed out, as per below:



This is a summary of my wireless rules:



Wireless controller is running version 10.41.01.0082

NAC / Netsight is running version 8.0.3.46

Many thanks in advance
Photo of Martin Flammia

Martin Flammia

  • 5,480 Points 5k badge 2x thumb

Posted 5 months ago

  • 0
  • 1
Photo of Bharathiraja, Suresh

Bharathiraja, Suresh, Employee

  • 3,442 Points 3k badge 2x thumb
Hi Martin,

Please check below KB for basic debug about DNS proxy issue in NAC.

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-methodology...

also just make sure eth1 is enabled in NAC interface configuration.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Enable-eth1-Interface-On-A-NAC-Appl...

Thanks,
Suresh.B
Photo of Bharathiraja, Suresh

Bharathiraja, Suresh, Employee

  • 3,442 Points 3k badge 2x thumb
Hi Martin,

Just wanted to make sure , if you use eth0 will you be able to get this set up working ?

Thanks,
Suresh.B
Photo of Martin Flammia

Martin Flammia

  • 5,480 Points 5k badge 2x thumb
Hi Suresh,

Thanks for replying.

Captive portal is currently working via Eth1 but using the wireless controller redirect, and it also works if I manually point the client to either Eth1 interface of either NAC. The bit I'm not sure about is DNS Proxy support on Eth1, or in addition the way that I am trying to do it.

That's a good point, I'll see if I can set something up to try this on Eth0, and do some of the debugging you have suggesting in the GTAC article.

Here is a diagram of the setup, help you visualise what I have described:



In addition, from the screenshot of my initial post of the Eth1 interface do I need to set the 'mode' to 'Advanced Configuration' and if so what services do I need (if any) to select?

My assumption here is also that you believe DNSProxy should work in this scenario, which is at least one main hurdle out the way with as I can then get down to just debugging it?

Many thanks.
Photo of Bharathiraja, Suresh

Bharathiraja, Suresh, Employee

  • 3,442 Points 3k badge 2x thumb
Hi Martin,

eth0 and eth1 are just interface as per my understanding and there shouldnt be any issues when you use them.

As i can see only DNS is not doing its job here.

We have to select end system service with rest of the services

End system

The communication to and from end-systems.
  Sub-Services: Portal: Registration & Remediation, Assessment, NetBIOS & DNS Proxy


even eth0 is also responding the same way then we have to check the configuration , you might need to create GTAC case.

Thanks,
Suresh,B