GuestAccess - Authentication settings

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi,

I'm starting to get angry with this config....
Currently, we use the sponsoring for our guest-access, but the users don't like this.
Now, I'm testing, how the voucher-portal is working, but I can't figure out, how to configure the authentication:

- I created a voucher and can see, that the user is in the local password-repository - good so far
- If I want to login with this voucher, I'm not permitted and fall back to the login-page

In the section "Authenticated Web Access" is the "shared authentication"-config.
The guide mentions "...where you can map the LDAP/RADIUS/Local User Group to the appropriate end-system group..."

So with this background, I would think, that I can say "ok, local password-repository maps to the group 'registered endsystems'" - but where exactly do I configure that?

In the dialogs I can add LDAP and RADIUS stuff, but i want to choose the local group.


Does anyone has an idea - the documentation is imho not helpful.

Regards
Chacko
Photo of Chacko

Chacko

  • 1,206 Points 1k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,470 Points 5k badge 2x thumb
Hello,

The LDAP/RADIUS group mappings will use LDAP and RADIUS to map end systems to specific groups AFTER authentication. In your case the voucher system creates an account in the local password repository that should be used to authenticated the user. You should check to make sure the local password repository is being used in the AAA configuration and if you have an advanced configuration that the Registration (Auth and Admin) isn't set to use another mechanism.

Can you provide a copy of the AAA configuration?

Thanks
-Ryan
Photo of Chacko

Chacko

  • 1,206 Points 1k badge 2x thumb
Hi Ryan,

here is the Config for "Authenticated Web Access":

The lowest entry is my created single-user voucher.

Here is the AAA-Config (Config for default is the same):


But the authentication still doesn't work if I try to login.
I think I need to configure, which local group should be used, after the authentication worked?

Cheer
Chacko
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,470 Points 5k badge 2x thumb
Hello Chacko,

When  you try to login does the system tell you you've been denied network access because you have entered invalid credentials?

The configuration looks good from what I can see, you have a user defined in the local password repository and you have the registration (auth and admin) defined in the AAA. You are positive that is the AAA configuration being used on in the configuration correct?

By default the captive portal "Authenticated" portal methods will move the end system into the "Web Authenticated users" end system group, you can change the group that is assigned after authenticated by using the LDAP/RADIUS group mappings, but these mappings will not have any affect on the authentication itself, just the authorization. 

Also, one thing to note is that you're using the "Authenticated Web Access" portal type. This type of portal allows for a SINGLE session for the user, meaning that after authentication the NAC provides a short window of time in which the re-authentication is to take place and allow the user to gain elevated access. If the end system does not attempt re-authentication within 15-20 seconds it may have missed it's window of opportunity in this type of portal. Each time the session is ended, for any reason, the user must login again. Typically we see better user experience with the "Web Authentication Registration" type, as this allows for a registration for a specific duration that is configured, so even if the end system goes idle when it becomes active again it won't need to re-register through the captive portal .

As I previously stated, group assignment will not affect authentication of the device, but only the rule they'll have after they pass registration. If you're seeing the "Registration has been denied due to invalid credentials" I would recommend enabling Captive portal authentication debug to try and determine why the users credentials are failing. (Right click the NAC --> WebView --> Diagnostics --> Appliance/Server Diagnostics --> Captive portal Authentication) Make sure to turn this off after you are done, it will fill up disk space. 

If you're having a problem with the rule hit AFTER authentication of the user credentials are completed check for reauthentication failures in the "Nac Appliance Events" tab on the bottom. Also, check for the username to show up in the end system events, that's the only way you can tell if the process was successful in an authenticated web access deployment without debug as the end system MAC address will not be visible in any end system groups due to it's temporary nature. 

Here is a picture of it working on my lab system:

https://extremenetworks2com-my.sharepoint.com/personal/ryacobuc_extremenetworks_com/_layouts/15/gues...

The events are ordered newest to oldest so you have to read it backwards. 

5th line ---> user initially authenticated to the network
4th line ---> IP address resolution completed
3rd line ---> I authenticated through the "Authenticated Web Access" portal with user "test", reauthentication was completed which is why this new authentication is being displayed
2nd line ---> This is a NEW authentication that occurred after I forced reauthenticated the device to show the temporary nature of the registrations using this captive portal type.
1st line ---> IP address resolution completed.

Let me know if this helps.
-Ryan
Photo of Chacko

Chacko

  • 1,206 Points 1k badge 2x thumb
Hi Ryan,

many thanks for that guide.
Now, after changing the Authentication to "Authenticated Registration", the device is joined in the group "web-authenticated users". After the successfull authentication, the NAC associates the device to the "accept-rule".

Unfortunately, the DNS-Queries which are send to the NAC-Appliance aren't answered, so the "internet-access" doesn't work properly, but I think that is another problem I can figure out myself.

Many thanks for your help.
Chacko