integrate wireless controller with NAC

  • 0
  • 2
  • Question
  • Updated 1 year ago
  • Answered
We have a c35 controller and netsight I am just trying right now to make a simple connection to the nac through a vns wlan service.  I have set up the radius under authentication for the NAC.  IN NAC manager I am able to verify the NAC connection.  I have set up the AAA  I believe correctly.  When I try to connect a client I get a message on client wrong user name and password but in the logs of the controller I see a message that there is no Radius server available for WLAN.  There has to be something I am missing but I have no idea what.   I can send you what ever screen shots you may need to help.  Thanks for any help.  This has been very frustrating process.  
Photo of Darrin Tingey

Darrin Tingey

  • 254 Points 250 badge 2x thumb

Posted 1 year ago

  • 0
  • 2
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
Did you set the correct Shared Secret on WLAN controller? 
Photo of Darrin Tingey

Darrin Tingey

  • 254 Points 250 badge 2x thumb
Yes,  I have the same shared secret on the controller that I have under the credentials tab on the NAC Manager.  
Photo of Umut Aydin

Umut Aydin, Escalation Support Engineer

  • 2,290 Points 2k badge 2x thumb
NTP on both correct?
CoA or NAC Integration is use on the Wireless COntroller?
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,322 Points 5k badge 2x thumb
Hello,

It sounds like you might be trying to set up an 802.1x WLAN service on the EWC? Is this correct? 
If so, are you doing proxy RADIUS or LDAP authentication?

You said "username and password are correct" so I figured this isn't MAC authentication.

Thanks
-Ryan
Photo of Darrin Tingey

Darrin Tingey

  • 254 Points 250 badge 2x thumb
Correct,  I am wanting to authenticate to the local user name on the AAA settings directly on the NAC is that possible.  
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,322 Points 5k badge 2x thumb
Hello,

It is possible to have NAC authenticate a user based on it's existence in the local password repository

See the following screenshot:


If this is posted and is too small to read I'll send it to a file share.

The top line would check any 802.1x request and if the username is "Username" it would attempt to authenticate it using the local password repository, so as long as the user exists there it would be successful.

The 2nd Line would send any username that has "Proxy\" in the username to the Proxy RADIUS server 1.1.1.1.

The 3rd line would be used for all other authentications that did not pass the 1st and 2nd and attempt LDAP authentication.

You should be able to use the 1st line as an example of how to authenticate a user using the local password repository.

Thanks
-Ryan 
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,322 Points 5k badge 2x thumb
Photo of Darrin Tingey

Darrin Tingey

  • 254 Points 250 badge 2x thumb
thank you,  I believe I have that set correctly.  I get a message on device that username and password is incorrect but the log on the controller shows   No radius server available for WLAN service.  

I have the NAC as the radius server on the controller and assigned to the WLAN.  I have checked the shared secret many times and they are the same.  I am obviously missing something between the controller and the NAC
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,322 Points 5k badge 2x thumb
Did you add the switch into the "Switches" tab in NAC Manager? Is the IP address in the switches tab the same IP address sourcing RADIUS traffic from the EWC?

Thanks
-Ryan
Photo of Darrin Tingey

Darrin Tingey

  • 254 Points 250 badge 2x thumb
Yes, I have both wireless controllers added in the switches tab in NAC Manager  and I am trying to set up the radius from the primary controller  10.1.8.30

Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,322 Points 5k badge 2x thumb
We're at the point where it might be a good idea to open a ticket. 

First thing GTAC should do is take a trace on the NAC appliance and see if the RADIUS request is being received, and if it's being responded to. The initial error message indicates there is a failure to process the packet. 

You can take a trace on the NAC using tcpdump, and you can enable diagnostics in the NAC webview if you are comfortable with it. I would suggest Authentication Request Processing - NAC and Authentication Request Processing - RADIUS. 

If you aren't comfortable I suggest submitting a ticket and speaking with GTAC. 

Thanks
-Ryan
Photo of Darrin Tingey

Darrin Tingey

  • 254 Points 250 badge 2x thumb
Thank you for your help.  I have opened a ticket with GTAC.  

Thanks