topic RE: C4110-2 wrong role applied to wifi users in ExtremeWireless (General)

C4110-2 wrong role applied to wifi users

Thibault_Rochet — Thu, 04 May 2017 14:26:00 GMT

Hi everyone,

We have a problem, which one appears randomly and we have many diffulcuties to identify the origin and how to resolve it.

Here is the authentication chain:

Client request to authenticate > Access point > C4110-2 Controller > RADIUS Server > Active Directory *here parsing to find user and access right related to him* after that it does the same reverse path.

The problem here is the role applied to the client. Normally a specific role related to the client is setted after finding a match in AD. But in our situation the client take the "Default" role we made which deny all traffic.

You'll find in attachement a screenshot related to the role:

The network has an open SSID and connectable by WPA2-Enterprise (EAP-PEAP)
I can affirm it's linked to authentication because I try with a "test" network setup with WPA2-Personnal (with PSK) and it works perfectly.

We also thought of a VPN tunnel problem between sites but we have the same case in a site direclty connected by MAN network.

We check the logs: we can see the client PC trying to connect but didn't take an IP and the good Role (always the "Default"). We have no logs on RADIUS server.

Last information, on those sites the same network had been working for years and we had this case on different types of AP (2610, 3825i). Controller is a C4110-2 running the software version 09.21.14.0005

Please help me !!

Thibault R.

RE: C4110-2 wrong role applied to wifi users

TylerMarcotte — Thu, 04 May 2017 18:06:00 GMT

Hi Thibault,

If you're not seeing any logs in your RADIUS server, it means that the RADIUS request is not making it to the RADIUS server at all. I would take a trace from your controller to see if it's leaving the controller destined to the radius server.

It's not necessarily an answer, but it's the next step I would take towards troubleshooting.

Tyler

RE: C4110-2 wrong role applied to wifi users

Ostrovsky__Yury — Thu, 04 May 2017 20:07:00 GMT

On the client side, does it show that client connected at all? If it could not make to the radius , from the client perspective you should see something like 'Unable to connect' or similar (depends on the OS). When client passes 'dot1X' stage, it concidered as 'port open now', the next step - to obtain IP.

RE: C4110-2 wrong role applied to wifi users

Ronald_Dvorak — Thu, 04 May 2017 23:53:00 GMT

Check the controller "station event" log = GUI > Logs > EWC: Station Events
In the upper right field put in the MAC of the client and please provide a screenshot for us.

Also check the RADIUS server log for the authentication events.

RE: C4110-2 wrong role applied to wifi users

Careno__Ryan — Fri, 05 May 2017 00:59:00 GMT

Sometimes Windows Servers do not log failed RADIUS login attempts, only successful logins. To confirm, in a dos prompt CLI on the RADIUS Server, you may need to verify RADIUS failure are being logged with command:

==========================================================
c:\ auditpol /get /subcategory:"Network Policy Server"
System audit policy
Category/Subcategory Setting
Logon/Logoff
Network Policy Server Success
c:\
==========================================================

If the output shows Network Policy Server showing "Success and Failure" it's enabled, but if it only shows "Success" like the example above you will need to use the following syntax to enable failure logging:

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

Ryan