https://community.extremenetworks.com/t5/extremecontrol/radius-management-authentication-on-xmc-xiq-control-21-11-11-37/m-p/18794#M10 Hi Ryan<BR /><BR />sorry for letting you wait on this topic, but for the moment: thanks a lot for your detailed help.<BR /><BR />I was not yet able to analyze / test it, but wanted to get sure you got the appreciation you deserve <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR />I will keep the post updated, as soon as I can find the time to test it.<BR /><BR />Best regards<BR />Dominic Wed, 30 Mar 2022 11:25:00 GMT DominicStalder 2022-03-30T11:25:00Z https://community.extremenetworks.com/t5/extremecontrol/radius-management-authentication-on-xmc-xiq-control-21-11-11-37/m-p/18792#M8 <DIV class="uconBody"><DIV style="page: WordSection1"> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">Hi Ryan</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">&nbsp;</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">Thanks a lot for your reply / this information.</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">&nbsp;</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">&gt; Which protocols have you tried at this point?</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">I tried CHAP and PEAP-msCHAPv2.</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">&nbsp;</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">&gt; If you have NTLM authentication set can you also confirm you have successfully joined the AD and that winbindd is running with correct trust secret?</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">I did check it now, and there is an error:</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">&nbsp;</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;font-family:&quot;Courier New&quot;;color:windowtext">could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;font-family:&quot;Courier New&quot;;color:windowtext">could not obtain winbind domain name!</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;font-family:&quot;Courier New&quot;;color:windowtext">checking the trust secret for domain (null) via RPC calls failed</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;font-family:&quot;Courier New&quot;;color:windowtext">failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;font-family:&quot;Courier New&quot;;color:windowtext">Could not check secret</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;font-family:&quot;Courier New&quot;;color:windowtext">&nbsp;</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">Will try to figure this out and fix it.</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">&nbsp;</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">For the moment, thanks for this hint!</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">&nbsp;</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">Best regards</SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="font-size:12.0pt;color:windowtext">Dominic</SPAN><SPAN lang="EN-US" style="font-size:12.0pt;font-family:&quot;Courier New&quot;;color:windowtext"></SPAN></P> <P style="margin: 0cm;font-size: 11.0pt;font-family: &quot;Calibri&quot;,sans-serif;color: #333333"><SPAN lang="EN-US" style="">&nbsp;</SPAN></P></DIV></DIV> Thu, 10 Mar 2022 14:43:00 GMT https://community.extremenetworks.com/t5/extremecontrol/radius-management-authentication-on-xmc-xiq-control-21-11-11-37/m-p/18792#M8 DominicStalder 2022-03-10T14:43:00Z https://community.extremenetworks.com/t5/extremecontrol/radius-management-authentication-on-xmc-xiq-control-21-11-11-37/m-p/18793#M9 <P>Hello,<BR /><BR />I set it up using XCC controller using MS-CHAPV2 authentication:&nbsp;<BR /><BR /><span class="lia-inline-image-display-wrapper" image-alt="31beee3fa08b48d8ad6414d976454b98.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/2143i423657EA0F87871A/image-size/large?v=v2&amp;px=999" role="button" title="31beee3fa08b48d8ad6414d976454b98.png" alt="31beee3fa08b48d8ad6414d976454b98.png" /></span><BR />Make sure your Control AAA configuration has a line to handle either "Management" auth type or "*":&nbsp;<BR /><BR /></P> <P> </P><P><span class="lia-inline-image-display-wrapper" image-alt="422f51318ffe4f19af736bded03a183a.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/2518i9A06E709D0C1220D/image-size/large?v=v2&amp;px=999" role="button" title="422f51318ffe4f19af736bded03a183a.png" alt="422f51318ffe4f19af736bded03a183a.png" /></span><BR />Then make sure there is a rule that provides the correct authorization string for management access:&nbsp;<BR /><BR /><span class="lia-inline-image-display-wrapper" image-alt="b62a76f8847d44d69f85240d6e4d63ea.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6058i82A7615BCA57ACFA/image-size/large?v=v2&amp;px=999" role="button" title="b62a76f8847d44d69f85240d6e4d63ea.png" alt="b62a76f8847d44d69f85240d6e4d63ea.png" /></span></P> <P><span class="lia-inline-image-display-wrapper" image-alt="f9b1732153804b528862f482e2ac9a0c.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/3203i97F2CB7947D744C3/image-size/large?v=v2&amp;px=999" role="button" title="f9b1732153804b528862f482e2ac9a0c.png" alt="f9b1732153804b528862f482e2ac9a0c.png" /></span><BR /><BR />When you set the AAA line up for "LDAP Authentication" NAC should attempt to join the domain controller on enforce, it will also attempt to join on services restart:<BR /><BR />You can check the /var/log/tag.log to see if there was a domain join failure or success:&nbsp;<BR /><span class="lia-inline-image-display-wrapper" image-alt="b8bd942cf4ea4a1a86b7e18a9616cad4.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/1880iF27E4E2A82F8FBDF/image-size/large?v=v2&amp;px=999" role="button" title="b8bd942cf4ea4a1a86b7e18a9616cad4.png" alt="b8bd942cf4ea4a1a86b7e18a9616cad4.png" /></span><BR />If domain join fails, check permissions:&nbsp;<BR /><BR />https://extremeportal.force.com/ExtrArticleDetail?an=000090980</P> <P><BR />You can check the status of the management login if you go to Alarms/Events&nbsp; --&gt; Type Access Control/NAC<BR /><BR /><span class="lia-inline-image-display-wrapper" image-alt="916e3c61a1974ec69ebc610ff1e5780c.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/4585iC4841331159B8E1B/image-size/large?v=v2&amp;px=999" role="button" title="916e3c61a1974ec69ebc610ff1e5780c.png" alt="916e3c61a1974ec69ebc610ff1e5780c.png" /></span><BR /><BR />Let me know if any of this helps.<BR /><BR />Thanks<BR />-Ryan</P> Sat, 12 Mar 2022 21:35:00 GMT https://community.extremenetworks.com/t5/extremecontrol/radius-management-authentication-on-xmc-xiq-control-21-11-11-37/m-p/18793#M9 Ryan_Yacobucci 2022-03-12T21:35:00Z https://community.extremenetworks.com/t5/extremecontrol/radius-management-authentication-on-xmc-xiq-control-21-11-11-37/m-p/18794#M10 Hi Ryan<BR /><BR />sorry for letting you wait on this topic, but for the moment: thanks a lot for your detailed help.<BR /><BR />I was not yet able to analyze / test it, but wanted to get sure you got the appreciation you deserve <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR />I will keep the post updated, as soon as I can find the time to test it.<BR /><BR />Best regards<BR />Dominic Wed, 30 Mar 2022 11:25:00 GMT https://community.extremenetworks.com/t5/extremecontrol/radius-management-authentication-on-xmc-xiq-control-21-11-11-37/m-p/18794#M10 DominicStalder 2022-03-30T11:25:00Z