NAC Guest Registration - Different portals by Devicetype

  • 0
  • 1
  • Question
  • Updated 4 months ago
  • Answered
Hi Guys,

I'm working on a NAC deployment for a customer, and we are having some issues with Guest Registration while using social media authentication. We use Advanced-Location in NAC.

To make it work as the customer asked, we need to use the Autologin from devices (using a browser is supported and better, but it raises issues with certificate errors, almos all sites are now HTTPS and we can't redirect it seamlessly, guests connecting and opening apps instead of browsers, etc)... But there's another issue: The Apple iOS devices WebKit is not allowed for Google auth...

I'm thinking about creating different portals for iOS and Others, where in the iOS portal the Google option should be supressed, but the Unregistered Loc rules can't be modified to choose Device Types.

I've cloned the rule and put it just above the NAC generated Unreg rule, just pointing to another portal, but it doesn't worked: The iOS device is redirected to the new "Googleless" portal, but not to the registration page... It shows a "Your device is registered, you are good to go" and stays in the Unreg-Clone role.

Any ideas?

Best regards,
-Leo
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,722 Points 2k badge 2x thumb

Posted 4 months ago

  • 0
  • 1
Photo of Rodney Lacroix

Rodney Lacroix

  • 270 Points 250 badge 2x thumb
Are you using the "Redirect Immediately" function on the network settings of the portals? If so, the default url for redirect immediately is the Google favicon via https. If you're allowing https in your unregistered policy (i.e., to Google, specifically or on a broader scale) then you'll get stuck in a loop here, because we assume that the url is only accessible on a completed registration.

If not, then some debugging might be needed.
(Edited)
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,734 Points 5k badge 2x thumb
Hey Leo,

Did you make sure to remove the devices registration before another attempt? 

The "Your device is registered" message usually is an indication that there is a registration for that device. 

If so like Rodney said we'd need to get some verbose logging to take a closer look.

Thanks
-Ryan
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,722 Points 2k badge 2x thumb
Hi Guys,

By the way, I'm testing on EMC/NAC 8.1.3.65 and IdentiFI 10.41.08.0012 (WS-AP3825i).

Rodney: Yes, I'm using the "Redirect Immediately" and HTTPS is not allowed for www.google.com (Trying in the browser, it's not reacheable in the Unreg state, justo to make sure).

Ryan: Sure... The device is already removed and has no previous registration.

The oddity is that the device is reaching the "Enterprise Remediation" and not the "Enterprise Registration" page, and showing the message "Your device has completed the verification. Network access granted" instead of the Registration Portal.

Follows attached a verbose logging from this device. (by the way, I'm using a Android device for this test... This is a LAB NAC, so there's no sensitive info): https://drive.google.com/drive/folders/0B5JU7eabVqiCbDhoLWN3NHJrTkU?usp=sharing

ISSUE:
It hits the Unregistered Loc: FB iOS (manually created rule), receive the Unregistered-CP NAC Profile (policy = GuestNonAuth just like the working and NAC-Generated Unregistered Loc: FB) and get redirected to the Social-iOS portal (instead of FB portal).

WORKING (it shows the registration portal):
It hits the Unregistered Loc: FB (NAC generated rule when creating Advanced Location), receive the Unregistered-CP NAC Profile (just as the other rule) and get redirected to the FB portal (the only different config between both portals is FB = Facebook,MS,Google and Social-IOS=FB,MS).

The difference between Rules that I can see is the "Unregistered user will be redirected to Registration web page." message below the NAC generated Unregistered Loc: FB (the manual rule doesn't show this message, and I've already tried creating a rule without the 'Loc:', with the same results.

Thanks!
-Leo
Photo of Rodney Lacroix

Rodney Lacroix

  • 270 Points 250 badge 2x thumb
I just ran this test and my GUESS here is, without seeing your configuration, that you don't have a matching "Registered Guests" rule for the device group. Because of this, the rule to match the unregistered device group will always be hit before any "Registered Guests" system rules that have been created.

Try creating a rule like:

Name: iOS Registered
End System Group: Registered Guests
Device Type Group: Apple iOS (assuming this is the same device type group you used)
Profile: Default NAC (or whatever your accept profile is)

Place this rule ABOVE your Unregistered device-type specific rule.

Unfortunately, this will apply to all locations so you will need to create individually unique rules for any and all specific locations these devices might be coming from.
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,722 Points 2k badge 2x thumb
Hi Rodney,

The issue is that the device is hitting the Unreg rule correctly, get redirected to the right portal, but not for the "Enterprise Registration", where the guest registration options are shown... So the user can't even register (showing the "Your device has completed the verification. Network access granted" message).

I tried to disable the custom rules and se the iOS portal on the nac-generated Unreg Loc rule... And it works perfectly...

It looks like NAC only redirects the device to the registration portal if it hits the Adv Loc NAC-generated rule, and not a custom rule as I need (Unreg iOS devices to portal A and all other to portal B).

Ps: I've created the suggested Registered rule above my custom Unreg rule, but the results still the same. By the way, my custom rules are above the system rules for now, just to make sure the device will hit for testing.

Best regards,
-Leo
(Edited)
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,722 Points 2k badge 2x thumb
Hi guys,
I have found something...

I'll run some tests and update you asap

Best regards,
-Leo
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,722 Points 2k badge 2x thumb
Hi guys,

I was scavenging under-the-hood on NAC config file (ApplianceConfiguration.xml) and I found something...

In the configuration written by EMC or Java client, the NOT working rule looks like this:

<NacRule>
        <name>Unregistered FB iOS</name>
        <typeStr>CUSTOM</typeStr>
        <nacProfile>Unregistered-CP</nacProfile>
        <portalConfiguration>Social-iOS</portalConfiguration>
        <enabled>true</enabled>
        <authCriteriaTypeStr>AUTH_TYPE</authCriteriaTypeStr>
        <authCriteriaValueStr>AUTH_MAC</authCriteriaValueStr>
        <invertAuthCriteria>false</invertAuthCriteria>
        <userCriteriaTypeStr>ANY</userCriteriaTypeStr>
        <invertUserCriteria>false</invertUserCriteria>
        <devCriteriaTypeStr>ANY</devCriteriaTypeStr>
        <invertDevCriteria>false</invertDevCriteria>
        <locCriteriaTypeStr>LOCATION</locCriteriaTypeStr>
        <locCriteriaValue>FB</locCriteriaValue>
        <invertLocCriteria>false</invertLocCriteria>
        <timeCriteriaTypeStr>ANY</timeCriteriaTypeStr>
        <invertTimeCriteria>false</invertTimeCriteria>
        <deviceTypeCriteriaTypeStr>DEVICETYPE</deviceTypeCriteriaTypeStr>
        <deviceTypeCriteriaValue>Android</deviceTypeCriteriaValue>
        <invertDeviceTypeCriteria>false</invertDeviceTypeCriteria>
        <zone></zone> </NacRule>
Checking the NAC-generated rule i noticed that the <typeStr> entry is not CUSTOM but UNREGISTERED. So I edited manually the ApplianceConfiguration.xml file and changed the attribute to UNREGISTERED, as shown below, and it worked like a charm! Now the selected devices got the right registration portal ("googleless") and all others get the other portal (google included): 
    <NacRule>
        <name>Unregistered FB iOS</name>
        <typeStr>UNREGISTERED</typeStr>
        <nacProfile>Unregistered-CP</nacProfile>
        <portalConfiguration>Social-iOS</portalConfiguration>
        <enabled>true</enabled>
        <authCriteriaTypeStr>AUTH_TYPE</authCriteriaTypeStr>
        <authCriteriaValueStr>AUTH_MAC</authCriteriaValueStr>
        <invertAuthCriteria>false</invertAuthCriteria>
        <userCriteriaTypeStr>ANY</userCriteriaTypeStr>
        <invertUserCriteria>false</invertUserCriteria>
        <devCriteriaTypeStr>ANY</devCriteriaTypeStr>
        <invertDevCriteria>false</invertDevCriteria>
        <locCriteriaTypeStr>LOCATION</locCriteriaTypeStr>
        <locCriteriaValue>FB</locCriteriaValue>
        <invertLocCriteria>false</invertLocCriteria>
        <timeCriteriaTypeStr>ANY</timeCriteriaTypeStr>
        <invertTimeCriteria>false</invertTimeCriteria>
        <deviceTypeCriteriaTypeStr>DEVICETYPE</deviceTypeCriteriaTypeStr>
        <deviceTypeCriteriaValue>Android</deviceTypeCriteriaValue>
        <invertDeviceTypeCriteria>false</invertDeviceTypeCriteria>
        <zone></zone> </NacRule>
The caveat is: after a new enforce, it overwrites the attribute back to CUSTOM

I think the EMC should have an option, in the rule creation screen to select what type of rule you are creating, but it requires a FR and development...

What do you think???

Best regards,
-Leo
(Edited)
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,734 Points 5k badge 2x thumb
Hey Leo,

I recommend starting a case with GTAC. 

This should be achievable without modification of configuration XML internally on the NAC as this is not a supported procedure. 

Thanks
-Ryan
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,722 Points 2k badge 2x thumb
Hi Ryan,

Can you give me some hints on how can I open this case?

If I ask GTAC the "wrong" questions, this could be complicated.

Best regards,
-Leo
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,734 Points 5k badge 2x thumb
Hey Leo,

Check this article out: 

https://gtacknowledge.extremenetworks.com/articles/How_To/Create-a-Case-via-New-Portal

You can always reference this hub article to get started. 

We will ask you to enable the following debug (Right Click the NAC --> WebView --> Diagnostics --> Appliance/Server Diagnostics): 

Captive Portal Display
Authentication Request Processing - EAC
Rules Engine - Criteria
Rules Engine - Authentication
Rules Engine - Authorization

Once these are enabled use the following testing procedure: 

Delete the device from NAC
Connect back to the network
Verify the incorrect portal is hit (Take a screenshot)

Then disable diagnostics (Make sure you disable, running these for long periods of time will eat hard disk)


Send in: /var/log/tag.log from the NAC

NAC DB backup 
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-backup-a-NAC-Database-or-NAC-Config...

Export the end System events for the end system so we know timestamps/MAC address/IP address
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-export-end-system-events-in-NAC-Man...


Thanks
-Ryan