Guest and IoT Manager Configuration

  • 14 February 2019
  • 21 replies
  • 983 views

Userlevel 7
Hi,

In case you are like me and don't read 170+ pages of the configuration manual you might run into the same issue as me.

After deploying the .ova and the initial IP setup via VM console you need to access the GUI via the admin url - if you just use the IP you get to the provisioner login and you get "Server error - Please contact Admin".

So please use the below url to access as admin to finish the initial configuration...

https:// < GIM-IP > /GIM/admin/login

-Ron

21 replies

Userlevel 3
Hi Ronald,

I've confirmed that the admin URL is, indeed, missing from the end of Chapter 4 and beginning of Chapter 5 in the GIM configuration guide.

I've created a change request to update the documentation adding the admin URL in both places (post-deployment of the OVA and pre-configuration of the Administrator account at the very top of Chapter 5). Hopefully that works as a resolution moving forward.

I've also created a usability request that the URL be noted at the very end of the OVA deployment setup questions (in the VM console).

Hopefully that will make things a little easier moving forward.
Userlevel 7
Thanks Rodney,

could it be that the following is also not correct or I'm reading too much into it.

My XMC and NAC have different pw so I've used the XMC one in the below GUI as the field is "XMC AdminPassword" - it should be the NAC pw correct !?

-Ron


Userlevel 3
No, as labeled that is correctly supposed to be the XMC server password.

The shared secret tab is for the gateway (on the shared secret tab) if using an Access Control Engine for authentication. The NAC password is not used to communicate to the engine, so this labeling is correct.

Use an XMC admin account that has Guest & IoT access, per the help and documentation.
Userlevel 4
Hi guys,

I'm trying Guest & IoT Manager on lab and it's not working as expected...

Just like Ronald's screenshot, it shows Control engine as UP and license as VALID:





But when I try to configure it, it shows an error (as attached) "Error fetching Onboarding Templates. Error on Access Control Engine/XMC"



Taking a look at G&IoT logs, i got: error
Error fetching Onboarding TemplatesStatusCodeError: 500 - undefined

Looking at the XMC server log I got;

2019-02-21 11:33:58,646 ERROR [com.enterasys.netsight.tam.server.web.rs.GimTemplatesRSServiceImpl] GIM Domain is NULL

What am I missing??

Best regards,

-Leo
Userlevel 3
There is XMC-side configurations that you need to accomplish to finish this setup.

That information can be found on page 698 of the Extreme Control User Guide, here:

https://documentation.extremenetworks.com/netsight/8.2/9035980-03_XMC_ExtremeControl_User_Guide_8.2.pdf

Essentially, you need to add the GIM IP to your Control engine configuration, and then configure/add a GIM domain (that includes a Local Password Repository) in which the users will be stored.

Any and all GIM configuration data (aside from GIM machine-specific information like IP, DNS, SMTP and SMS configurations) like Guest Users, provisioners, templates, sponsors, etc., etc., are stored on the XMC server in a repository called a "GIM Domain." You cannot actually SEE the GIM domain on XMC (it is embedded in the XMC database), but once configured, any and all configurations done in the GIM gui are stored within XMC and the GIM domain).

Takes a while to wrap your head around it, I know.

So your very next steps are to log into your 8.2.4.42 XMC server, highlight the engine group (it has to be the same engine group that your Access Control engine resides that you added in GIM), and add the GIM IP on the "Guest & IoT Managers" tab of the engine group.

Then create/add a GIM domain (on the Details tab of the same engine group) and point it to a local password repository (if authenticating users, this should be the same LPR as in your AAA config). Any local users, provisioners, and sponsors will appear in this LPR with a "GIM" checkmark next to them for clarification purposes.

Save/enforce, and then you are good to go.

I've contacted documentation again to have this added to the GIM doc, so people aren't assuming that they only have to configure one side for GIM.

Just like Access control, you configure the engine, then add it to XMC. No different for GIM deployments.

Hope it helps!
Userlevel 4
Hi Rodney,

I've deployed it on the release day, and the config guide wasn't available... Now I saw the guides... Sorry for my mistake...
I'll try it!

Thanks!
Userlevel 7


I've contacted documentation again to have this added to the GIM doc, so people aren't assuming that they only have to configure one side for GIM.


Exactly what I've done.... took me a while to check out the Control user manual 😀

-Ron
Userlevel 4
Hi Rodney,

It worked! I was missing the user guide =)

This is where I failed:

Then create/add a GIM domain (on the Details tab of the same engine group) and point it to a local password repository (if authenticating users, this should be the same LPR as in your AAA config). Any local users, provisioners, and sponsors will appear in this LPR with a "GIM" checkmark next to them for clarification purposes.


All other sittings was OK!

Thank you!
Userlevel 7
No, as labeled that is correctly supposed to be the XMC server password.

The shared secret tab is for the gateway (on the shared secret tab) if using an Access Control Engine for authentication. The NAC password is not used to communicate to the engine, so this labeling is correct.

Use an XMC admin account that has Guest & IoT access, per the help and documentation.


What confuses me is that I've never configured the XMC IP within GIM (as far as I remember).
So how does the GIM know the XMC IP to communicate with XMC to use that username/pw ?!

-Ron
Userlevel 3
WOOT! I think I'll take the rest of the day off. 😉
Userlevel 3
Ron,

GIM communicates ONLY to the Access Control Engine IP address using REST calls.

The Access Control Engine acts as an intermediary between the GIM and XMC (where the actual GIM domain data resides). Part of this communication is providing authentication to XMC to GET/POST information from/to the GIM domain on XMC - this requires that you configure a user with the appropriate GIM rights to read/write this data, as per the documentation.

The GIM configuration on the XMC side is used to validate the location/licensing of GIM, the Access Control Engine(s) it will communicate via, and authentication.
Userlevel 7
Thanks Rodney,

now it makes more sense.

After a minor config change in my auth rules it's working now.
I had to add a new rule for mgmt access so the provisioner could login.

-Ron

Userlevel 3
Hi,
I have the same "error 500 / GIM Domain is NULL" problem, but I have configured like Rodney said.
XMC & GIM are both version 4.2.6
XMC server.log:
2019-06-19 14:11:11,546 ERROR [com.enterasys.netsight.tam.server.web.rs.GimTemplatesRSServiceImpl] GIM Domain is NULL

GIM = 192.168.64.212


dedicated NAC for guest stuff = 192.168.64.204
XMC is also in same subnet.



Guest and IoT Config is provided with a domain and a password repository:


This password repository contains one User, which is enabled, but has no GIM checkmark.

Engine group "Gäste-NAC" has an own AAA configuration ("Gastportal AAA") which puts requests from location GIM to local auth "GIM_repository". I have no LDAP configs there since I test with local reository only.


Location group "GIM" contains: switch 192.168.64.212, Port: *, AP ID: *
Everthing is enforced, but I still get error: "Error fetching Guest Users. Error on Access Control Engine/XMC.
Please check to make sure that your GIM configuration (Manager and GIM domain) on XMC is set correctly."

Does anyone have an idea?
Userlevel 3
Can you confirm on your GIM administration screens that you have the correct gateway identified, shared secret for RADIUS processing to the gateway and that the XMC admin user name and password (or a user with proper GIM administration rights) is configured?
Userlevel 3
My apologies, I did not see the first screen shot. Has the gateway been enforced since modifying/making the GIM changes? I don’t see an enforce flag so I assume so, but want to be sure.
Userlevel 3
Hi Rodney,
thanks for your response. You did not miss the first screenshot, I added it later :-)

Yes, nacg is enforced. I also restarted XMC and logged in with account root and its password into XMC to check if password is correct.
Userlevel 3
So, I just replicated your configuration scenario including a new engine group, (including the umlaut), GIM domain, password repository. I did not see any issues.

HOWEVER, I did see the error when I changed the shared secret to something that did not match the entry as it exists on XMC.

On GIM, Administration -> RADIUS, make sure that the shared secret on that page matches the shared secret as defined on your GIM server as entered on the "Guest & IOT Managers" tab of the engine group. Communication, local or otherwise, will happen via RADIUS between GIM and the NAC engine. If the secrets between the two do not match (i..e, mine were both 123456, but I changed the secret on the GIM side to 1234567), you will get the following:


Error fetching Guest Users. Error on Access Control Engine/XMC.
Please check to make sure that your GIM configuration (Manager and GIM domain) on XMC is set correctly.
Userlevel 3
Hi Rodney,
I checked both credentials and they were the same. I changed both of them to 123456 (and also NAC Appliance Group / Appliance Settings / Credentials /Switch Communication /Shared Seccret, just to be sure) but the problem still persits.


(Screenshot was made after saving setting and enforcing nacg.)


netsight server log: ERROR [com.enterasys.netsight.tam.server.web.rs.GimTemplatesRSServiceImpl] GIM Domain is NULL
Userlevel 3
At this point, I’m not sure. From what I can tell, everything appears correct and I cannot reproduce the issue without purposely misconfiguring something. Aside from deleting the GIM domain and LPR and recreating, it might be time to have GTAC take a look at the system(s).
Userlevel 3
I guess the only last thing to check here would be to make sure that the FQDN specified as your gateway actually resolves to the .204 gateway, specifically from the GIM device (this would require you to set the DNS domain on the GIM and get to the CLI to execute an nslookup - which is a special debug procedure you can get from GTAC). To eliminate that, maybe try just putting in the .204 address of the engine instead of the fqdn. Aside from that, everything appears to be configured correctly so GTAC would be your next stop so they could gather some further debug info on the config.
Userlevel 3
Using IP-Adress instead of FQDN did not help. 😞 I will ask GTAC.

Reply