Header Only - DO NOT REMOVE - Extreme Networks

MAC Authentication in VNS with NAC

  • 18 January 2019
  • 5 replies

Hi everybody !

I must create a new SSID for mobile device and I want to do MAC authentication + WPA PSK Key.

We got NAC Appliance so I create a rule with just for the moment a match on an end-system group which contain my mobile.
I create a new WLAN services associate to a new ssid with WPA-PSK key in "Privacy" and choose disabled in "Auth&Acct" with the "Enable MAC-Based Authentication" where I specify my two NAC Appliance as Radius Servers.

When I'm trying to connect in the ssid with my mobile, I insert my key but the mobile is not connecting to the network and doen't take DHCP IP. I checked in NAC Manager with a configuration evaluation tool and I see that the mobile match the correct rule. When I do just WPA-PSK without MAC authentication, it's work fine.

Can someone help me ?


5 replies

Userlevel 4
Hi RP,

If you don't see any end systems appearing in NAC, then you should check two things. 1) make sure your shared secret is correct between the wireless controller and NAC. 2) Make sure you added the wireless controller to NAC as a Switch.

Once you have those two items in place you should at least see an end system appear in the End Systems screen.


Userlevel 7

please do the following....

  • enable the station events > Controller > Logs > System Log Level > Report station events on controller
  • connect again with the client
  • check the logs > Logs > EWC > Station Events
  • filter on the client MAC
  • post a screenshot of the result
Hi Tyler, Ronald,

@Tyler Marcotte : I see my mobile in NAC's end-systems and when I do a Configuration evaluation tool, I see that my device match my rule.

@Ronald Dvorak : I did what you ask, please check my screen :

"Poubelle" is the name of my default catchall policy.


Userlevel 7
"Poubelle" is the name of my default catchall policy.

I'd assume that is not the role that the client should get - correct ?!

In the end-system view of this client > what to you get in the column "profile" and "reason"

Please post a screenshot of...
  • the rule that you've created
  • "Profile" and "Accept Policy" = the pop up window if you click on it (see red arrows bellow)


Correct, he should not take this policy.

In my end-system view for this client, I have the "Poubelle" Profile and the reason "Default Catchall".

My rule with just an end-system group :

My profile :

My policy :

I test with and without policy in my profile, i got the same result.

The result of my configuration eval tool :