NAC AAA rule assentment .

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
NAC 6.3.0.168, Wireless V2110 9.21.09.0004
I have a strange issue with devices not using the right AAA rule in the NAC even though when checking the device via the NAC evaluation tool tells me it should be using the right rule.

The NAC is setup for proxy Radius to a windows NPS server. When I run the NAC evaluation tool I get the correct information below with the correct rule "BYOD-test" passed.
 BUT looking at the NAC end-systems data for that device it goes to the end "catch-all" rule, not the rule the evaluation tool displays.


Any idea's where to look or are there other tools I can use for testing?
Photo of Frank

Frank

  • 290 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 10,186 Points 10k badge 2x thumb
Is your rule comdition(s) based on MAC address? The changing of endsystem group (adding MAC to the group) does not require enforce, but can take some time to propagate from Netsigh (management) to the gateway (engine). I met also situation when this updates never happened and Netsighr reboot was necessary to fix the issue.

Regarding debugging have you tried increase the verbocity level and check logs?
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
What are the rule requirements for BYOD??   Show us your rules.
Photo of Frank

Frank

  • 290 Points 250 badge 2x thumb
Here are the rules.


The SMC-Staff NAC rule and SMC-Student NAC rule work perfectly going to the same windows NPS.


I will try to find other logs and where to increase the verbosity level. Not sure where these are yet.
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 10,186 Points 10k badge 2x thumb
Https:/:nac-gw:8444 there you should have diagnostics tools and log. The username and password is configured in your nacmanager
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
Yes, you need more logging.  What is NAC seeing in the RADIUS packet?  Is it sending all the info you expect?  What does it look like from a NAC perspective (if you search for the end system and view its "status" ?
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,818 Points 2k badge 2x thumb
If you show the End System Group that you're keying off of and the User Group that would help with troubleshooting. Otherwise, like Zdenek said, you can get seem more diagnostics from the NAC appliance itself.
Photo of Frank

Frank

  • 290 Points 250 badge 2x thumb
Just a update. Problem found and fixed.

Like to thank everyone for showing me the way to looking at the extended logs. I did not know they existed. From the logs I found the BYOD rule was skipped by the NAC when it was processing the rule order. From this I assumed I did run "Enforce all" on the NAC when I first created the rule but it seems I did not. Enforced the rule and now working as intended.
Photo of James A

James A, Embassador

  • 7,492 Points 5k badge 2x thumb
That happened to me just the other day. It'd be nice if the config evaluation tool detected you had unenforced appliances and put up a big warning.