topic RE: Wireless Controller integration with NAC in ExtremeCloud IQ- Site Engine Management Center

Wireless Controller integration with NAC

Andre_Brits_Kan — Thu, 09 Jul 2015 02:32:00 GMT

Hi
We are running a C5210 controller with V9.15.07.0008 and NMS V6.2.0.199
We have a IA-A-20 NAC appliance also deployed.
We have 2 different VNS's configured, one for the production environment and one for Public internet access.

The configuration of two VNS's is as follows:

Production VNS

Configured to use 802.1x Authentication
802.1x Authentication utilizes a Microsoft NPS server for authentication
VNS utilizes a "Bridge @ AP" topology

2. Public Internet VNS

Configured to use Mac Authentication
MAC Authentication utilizes the NAC Appliance server for authentication
VNS utilizes a "Bridge @ EWC
DHCP is provided by Service Provider
The Public Internet Topology interface is configured with a IP address in the Service provider network
NAC integration is enabled with the IP address of the NAC appliance configured.

If we look in NAC Manager and select "All NAC Appliances" we notice that the "End Systems" tab lists all wireless clients, including the Production clients.
If we select the individual NAC appliance it only shows the "End systems" connected to the "Public Internet VNS. We are also missing device type information but the IP's resolve

So now for the questions:

Why do we see the Production clients in NAC Manager as "End systems" even though the Production VNS is not configured to use the NAC at all for authentication?
Does the Production "End systems" count towards my "End system" license?
Oneview reports the total unique users as the total of both the Production and Public Internet "End systems" we would only like to see the "Public internet" End systems.

When we deploy the same solution but on older code versions (C5210 = V9.01.02.0017 and NMS 6.1.0.135) we only see the "End systems" for the "Public Internet" and NAC also reports on the Device types ect.

This question should probably go to GTAC but i thought lets ask the community first.... 😉

RE: Wireless Controller integration with NAC

Ronald_Dvorak — Thu, 09 Jul 2015 03:20:00 GMT

Hi,

I've run into the same "problem" that I'd see clients from another cloud controller even that one isn't aware of the NAC - so it seems that by integrating the controller into Netsight Console & OneView that NAC will show the clients.

The only thing that I'd contribute to your post is the "device type" issue of your second VNS.
You need to forward the DHCP request also to the NAC.
There are some options - not sure which one is the right one in your deployment.
- if you use routed/bridge@EWC and DHCP relay = add the ISP DHCP and NAC IP
- if bridge@EWC and there is a router in between you'd configure DHCP helper to foward it to the ISP&NAC

-Ron

RE: Wireless Controller integration with NAC

Ryan_Yacobucci — Fri, 10 Jul 2015 17:36:00 GMT

Hello,

This is a new behavior with NetSight 6.2. NetSight NAC Manager will now populate the end systems table with Wireless client events if they are sent to NetSight.

Please check out the following article:

https://gtacknowledge.extremenetworks.com/articles/Solution/Seeing-Non-NAC-End-Systems-in-NAC-Manage...

These End Systems are not authenticated, so they do not count towards your End System License count.

Let me know if you have any additional questions.

Thanks
-Ryan