Wireless Controller integration with NAC

  • 0
  • 2
  • Question
  • Updated 3 years ago
  • Answered
We are running a C5210 controller with V9.15.07.0008 and NMS V6.2.0.199
We have a IA-A-20 NAC appliance also deployed.
We have 2 different VNS's configured, one for the production environment and one for Public internet access.

The configuration of two VNS's is as follows:
  1. Production VNS
  • Configured to use 802.1x Authentication
  • 802.1x Authentication utilizes a Microsoft NPS server for authentication
  • VNS utilizes a "Bridge @ AP" topology
     2. Public Internet VNS
  • Configured to use Mac Authentication
  • MAC Authentication utilizes the NAC Appliance server for authentication
  • VNS utilizes a "Bridge @ EWC
  • DHCP is provided by Service Provider
  • The Public Internet Topology interface is configured with a IP address in the Service provider network
  • NAC integration is enabled with the IP address of the NAC appliance configured.
If we look in NAC Manager and select "All NAC Appliances" we notice that the "End Systems" tab lists all wireless clients, including the Production clients.
If we select the individual NAC appliance it only shows the "End systems" connected to the "Public Internet VNS. We are also missing device type information but the IP's resolve

So now for the questions:

  1. Why do we see the Production clients in NAC Manager as "End systems" even though the Production VNS is not configured to use the NAC at all for authentication?
  2. Does the Production "End systems" count towards my "End system" license?
  3. Oneview reports the total unique users as the total of both the Production and Public Internet "End systems" we would only like to see the "Public internet" End systems.  
When we deploy the same solution but on older code versions (C5210 = V9.01.02.0017 and NMS we only see the "End systems" for the "Public Internet" and NAC also reports on the Device types ect.

This question should probably go to GTAC but i thought lets ask the community first.... ;)
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 4,816 Points 4k badge 2x thumb

Posted 3 years ago

  • 0
  • 2
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 42,500 Points 20k badge 2x thumb

I've run into the same "problem" that I'd see clients from another cloud controller even that one isn't aware of the NAC - so it seems that by integrating the controller into Netsight Console & OneView that NAC will show the clients.

The only thing that I'd contribute to your post is the "device type" issue of your second VNS.
You need to forward the DHCP request also to the NAC.
There are some options - not sure which one is the right one in your deployment.
- if you use routed/bridge@EWC and DHCP relay = add the ISP DHCP and NAC IP
- if bridge@EWC and there is a router in between you'd configure DHCP helper to foward it to the ISP&NAC

Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 4,240 Points 4k badge 2x thumb

This is a new behavior with NetSight 6.2. NetSight NAC Manager will now populate the end systems table with Wireless client events if they are sent to NetSight.

Please check out the following article:


These End Systems are not authenticated, so they do not count towards your End System License count.

Let me know if you have any additional questions.