This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Can't select user groups in authentication mapping

Can't select user groups in authentication mapping

Go to solution
JohanHendrikx
Contributor II

‎08-08-2019 09:47 AM

In the EAC you can configure the authentication rules in the AAA section. in one of those rules (Management Login) I want to configure an user group .

According to the help file ,should this be possible.

User/MAC/Host
Select the Pattern radio button and enter the username, MAC address, or hostname that the end-system must match for this mapping. Or, select the Group radio button and select a user group or end-system group from the drop-down list. If you enter a MAC address, you can use a colon (:) or a dash (-) as an address delimiter, but not a period (.).

The only groups I can select are End-System Groups.

How can I select an user groups ?

95f5949fad57431fbb3f3437aa290353_d5b4e711-4d8a-419c-85fb-53efacc30081.jpg



95f5949fad57431fbb3f3437aa290353_58a38fc5-77fb-4725-a854-5348873a063c.jpg

Johan Hendrik System Architect Audax
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Ryan_Yacobucci
Extreme Employee

‎08-21-2019 12:31 PM

The switch might be allowing you in just because the Access was "Accept". Can you change the "Denied Access NAC profile" and set it to "Reject authentication requests".

It will be the option at the top of the profile.

Thanks
-Ryan

View solution in original post

0 Kudos
7 REPLIES 7

Go to solution
JohanHendrikx
Contributor II

‎08-21-2019 01:19 PM

Ryan, this works. Thanks for the solution
Johan Hendrik System Architect Audax
0 Kudos

Go to solution
Ryan_Yacobucci
Extreme Employee

‎08-21-2019 12:31 PM

The switch might be allowing you in just because the Access was "Accept". Can you change the "Denied Access NAC profile" and set it to "Reject authentication requests".

It will be the option at the top of the profile.

Thanks
-Ryan
0 Kudos

Go to solution
JohanHendrikx
Contributor II

‎08-21-2019 06:30 AM

Results
Management login to switch 10.2.112.211. No Access granted for User: x326000, due to NAC Filter-Id: Enterasys:version=1:policy=Deny Access, Profile: Registration Denied Access NAC Profile Authentication Protocol: PAP, Request Attributes - Service-Type: 1, User-Name: x326000, Calling-Station-Id: 00-00-00-00-00-00, NAS-IP-Address: 10.2.112.211, OPENFLOW_DATAPATH_ID: 19706979330, NAS-Identifier: SW-A11, Called-Station-Id: 00-04-96-A0-A4-02, NAS-Port-Type: 5, NAS-Port: 0, Source-Address: 10.2.112.211 - Response Attributes - Filter-Id: Enterasys:version=1:policy=Deny Access - This is an administrative request because the MAC is zeros: 00-00-00-00-00-00, username is not null and no EAP-Message, MS-CHAP-Challenge or Tunnel-Client-Endpoint is present.

Management login to wireless controller 10.2.112.3. No Access granted for User: x326000, due to NAC Service-Type: null, Profile: Registration Denied Access NAC Profile Authentication Protocol: PAP, Request Attributes - Service-Type: 7, User-Name: x326000, NAS-IP-Address: 10.2.114.1, NAS-Identifier: EWC, NAS-Port-Type: 5, NAS-Port: 0, Source-Address: 10.2.112.3 - Response Attributes - Filter-Id: Enterasys:version=1:policy=Deny Access, Login-LAT-Port: 0 - This is an administrative request because the MAC is null, username is not null and no EAP-Message, MS-CHAP-Challenge or Tunnel-Client-Endpoint is present.
Johan Hendrik System Architect Audax
0 Kudos

Go to solution
Ryan_Yacobucci
Extreme Employee

‎08-17-2019 04:17 PM

I"d have to take a look at the configuration.

If you look at the Alarms & Events --> Events --> Type of "NAC" or "Access Control Engine".

When you login to the switch and the controller take a look at those events. Did they hit the same rule?

Does the rule they hit indicate they were returned a "reject"?

Thanks
-Ryan
0 Kudos
Top
GTM-P2G8KFN