NAC&V2110: unable to change from Admin port to esa0 IP

  • 0
  • 1
  • Problem
  • Updated 5 months ago
  • Solved
Hello, team,

I try to follow this article:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Configure-WLAN-Service-For-NAC-Exte...

...and I can't do this:
  • EWC Connection: Change from Admin port IP (192.168.10.1) to esa0 IP

IP-address on esa0 was assigned, but I can't select it here - it's absent and only Admin IP is available. Why?

Many thanks in advance,

Ilya
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb

Posted 5 months ago

  • 0
  • 1
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 49,036 Points 20k badge 2x thumb
What mode is the ESA0 topology.... physical ?!
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hello, Yury,

thanks for your reply. 

At this point I didn't configured any NAC profiles. Only at V2110 side (Authenticated/Non-Authenticated). Should I configure NAC profiles? My NAC version is 7.1.1.9.

If I switch to "Redirect detection messages to the Captive Portal", will it affect all SSIDs? Are there any side effects?

Are there any ways to troublehoot endless registration? Any logs? During this process there are no clients in Endpoints. But this for wired and with non-Summit switches.

Thank you very much, Yury!
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
If you enable Captive Portal on NAC (and you did) that should be enough.
Since you don’t see the clients in end-system table check two things :
1. Did you enable MAC-auth on WLAN ? If not please do it.
2. Check the Radius server shared secret is correct

For redirect , yes it is global setting and will affect all Captive Portal VNS’s configured on controller. There are no side affects, only pop-up on client :)

Btw, your non-auth and auth does not matter, in your case NAC is the master abd controling what roles are assigned (via sending Filter-ID back to controler)
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hello, Yury,

Should NAC be the RADIUS server or who? If NAC, where can I set shared secret on NAC's side? I didn't find such place.

On NAC's side I have only this and AD authorization works fine through portal. Is it OK?






Thank you very much!
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
The shared secret is in Appliance setting, Credential. The default is ETS_TAG_SHARED_SECRET but you can change it. And yes, you have to add your NAC to wireless controller as Radius server, and enable mac-auth on wlan.
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
I found it, thanks. Default protocol matters? PAP or...MS-CHAP?
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
Ilia , you don't need to use "External" fore redirect. Just use "FF-External" , so you dont need to worry about ports . We keep "External" as an option only as legacy option, just to make sure if the config upgraded from old controllers it will keep working the same way. FF-ECP is way better feature 
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hello, Yury,

Are you really sure that I have to change it to FF-External?

I've configured connection to LDAP from NAC and almost done with HTML.

But i've no idea what to do next?

I need just authorize users in AD though NAC web page....
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
you "don't have to " :) Just FF-ECP is a better feature . If you using br@AP as user's topology , then you have to use FF-ECP (External will not work) . If the controller is v10 then enable "Role Based Redirection" (global option on VNS) . The redirection can be done on Role/Rule.