NAC captive portal shows endless "registration" after successful logon

  • 0
  • 1
  • Problem
  • Updated 4 months ago
  • Solved
Hello, team,

I configure interation of V2110 and NAC Captive portal. User database is an Active Directory.

When users joins SSID he us redirected to NAC's captive portal. If login&password are OK, user gets endless "registration".

At this moment I don't see the user in End-Systems in NAC. There are no logs and ideas how to find out what is a reason.

Please, take a look at my screens below if it may help. I can share all information required. 



This is what happens in Chrome if I try to reopen NAC's URL after endless registration took place:








Please, share your ideas how to solve the issue!

Many thanks in advance,
Ilya
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb

Posted 5 months ago

  • 0
  • 1
Photo of Rodney Lacroix

Rodney Lacroix

  • 260 Points 250 badge 2x thumb
Are you using the “redirect immediately” option in the network settings of the captive portal? If so, you have to be very specific in your unregistered policy’s allow rule for https. If it’s enabled, try disabling that to see if it addresses it.
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hi, Rodney,

could you please tell me where exactly in NAC interface could I check that?

"Network settings on the captive portal"?
Photo of Rodney Lacroix

Rodney Lacroix

  • 260 Points 250 badge 2x thumb
Yes. There will be a checkbox for “redirect immediately.” I see you have “Force HTTPs” enabled so I assume your unregistered policy allows HTTPs. However, if you are broadly allowing https you can get into a loop where the client thinks it is registered but NAC thinks it is not, and vice verse. If that’s not enabled we need to look deeper.
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
I've found this checkbox, it's off.

You are right, HTTPS is allowed regardless a result of authentucation. I think how to block this.
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,354 Points 5k badge 2x thumb
Hello,

Make sure that the time between the EAC and EWC are within 300 seconds: 

If the times are off by more than 300 seconds the controller will not accept the reauthentication request from NAC and the client will never move out of the Unregistered role: 


GTACKnowledge - NAC End Systems Hung in Captive Portal

Thanks
-Ryan
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hello, Ryan,

it was synchronized. They have same NTP server now.
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,354 Points 5k badge 2x thumb
Did it fix the issue, or are you still stuck in endless registration?
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
This did not fix the issue. Registration process is still endless.
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,354 Points 5k badge 2x thumb
I'd suggest opening a ticket with GTAC. We would need to enable diagnostics and gather forensics to get an idea of what's going wrong.

Thanks
-Ryan
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hello, Ryan,

unfortunately, I can't do that. This is POV (Prove of Value) project for a customer who has already bought Netsight, but considering buying NAC. 

So, I can't open GTAC case for NAC issues.
Photo of Umut Aydin

Umut Aydin, Escalation Support Engineer

  • 2,290 Points 2k badge 2x thumb
Hello Ryan,

even if there is no existing equipment/contract I'm sure that you will get support from Extremenetworks in this case.

You can get in touch also with your SE and Account Manager for this end customer.

Regards

Umut Aydin
Escalation Support Engineer