NAC with WiNG Wireless

  • 0
  • 1
  • Problem
  • Updated 1 year ago
  • Solved
Hi,

we are setting up test environment  for 802.1x for wireless users using NAC and WiNG wireless solution before implementing to production.

we have 4 groups:

Corporate
Consultants
Guest
BYOD

we only used 1 SSID and dynamically assigned the VLAN based on this groups.

Corporate - VLAN 5
Consultants - VLAN 10
Guest - VLAN 15
BYOD - VLAN 20


Corporate requirements are the device is domain computer and the user is domain user (LDAP)
Consultants - user is domain user (LDAP) and MAC address white listed in NAC
Guest - Local users in NAC only
BYOD - user is domain user (LDAP) and any device

Corporate,Consultants and BYOD is working very well. the rule hits, LDAP is working fine,  authentication is passed and dynamically assigned to right VLAN based on groups.

but we have  issue with Guest Group. in screenshot below, user hit the right rule (Guest1_Wireless) 


below screenshot is the Authentication results, user also passed the authentication



but the user is still rejected due to "the authentication is rejected by radius server" (proxy). as you can see the screenshot above, the authentication is already passed with "Authentication request locally" so no need to forward the authentication request to radius server, but NAC still forward it to radius server which will naturally reject the request.

why NAC still forward the authentication request to Radius server? it's already hit the first Authentication rule which is "Authenticate request locally".

Photo of Marlon

Marlon

  • 1,570 Points 1k badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Keene, Scott

Keene, Scott, Employee NMS/GTAC

  • 1,462 Points 1k badge 2x thumb
Hello,

The Rules Engine should not pertain to the proxy RADIUS logic, but rather, the AAA Config.  The Config EVAL Tool is something you'd want to rule out here for now, and use the NAC debug to troubleshoot instead.

NAC will proxy RADIUS traffic if your AAA Config is such that it is setup for Proxy RADIUS and also if a Local Authentication line higher in the AAA Config did not match.  We'd need to see the NAC database and NAC debug to determine this in most cases.  You can use this article to assist and you may also want to open a case with GTAC.

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-methodology...





Regards,

Scott Keene
NMS/NAC Support
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,192 Points 5k badge 2x thumb
Hello Marlon,

The configuration evaluation screenshots you have pasted were done on the end system when it was in a MAC authenticated state. The "Authentication" type is set to "MAC" authentication in the first two screenshots. MAC authentication by default is set to be processed locally, and there are no requirements for MAC authentication so it has been accepted, as expected. 

The reject message authentication type is 802.1x. As Scott said above AAA configuration will determine what method is used to authenticate the user, so since you have a line in the 802.1x authentication line in the AAA configuration when the user is attempting to authentication via 802.1x it will be sent to the back end radius server.

Do guests have a username/password that would be accepted by NPS? One of the issues with with guest access on an 802.1x network is that they don't have working credentials, and will be presented with a prompt to put in credentials, which will always be rejected because they don't have any. 

You may be able to utilize "secure guest access" portal feature, where you have an open SSID were a user registers and EAC will dynamically create and send them credentials to use on the 802.1x SSID.

 Thanks Marlon
-Ryan 
Photo of Marlon

Marlon

  • 1,570 Points 1k badge 2x thumb
Thanks Scott and Ryan.