cancel
Showing results for 
Search instead for 
Did you mean: 

NAC Guest Registration - Different portals by Devicetype

NAC Guest Registration - Different portals by Devicetype

LeoP1
Contributor
Hi Guys,

I'm working on a NAC deployment for a customer, and we are having some issues with Guest Registration while using social media authentication. We use Advanced-Location in NAC.

To make it work as the customer asked, we need to use the Autologin from devices (using a browser is supported and better, but it raises issues with certificate errors, almos all sites are now HTTPS and we can't redirect it seamlessly, guests connecting and opening apps instead of browsers, etc)... But there's another issue: The Apple iOS devices WebKit is not allowed for Google auth...

I'm thinking about creating different portals for iOS and Others, where in the iOS portal the Google option should be supressed, but the Unregistered Loc rules can't be modified to choose Device Types.

I've cloned the rule and put it just above the NAC generated Unreg rule, just pointing to another portal, but it doesn't worked: The iOS device is redirected to the new "Googleless" portal, but not to the registration page... It shows a "Your device is registered, you are good to go" and stays in the Unreg-Clone role.

Any ideas?

Best regards,
-Leo
10 REPLIES 10

Ryan_Yacobucci
Extreme Employee
Hey Leo,

Check this article out:

https://gtacknowledge.extremenetworks.com/articles/How_To/Create-a-Case-via-New-Portal

You can always reference this hub article to get started.

We will ask you to enable the following debug (Right Click the NAC --> WebView --> Diagnostics --> Appliance/Server Diagnostics):

Captive Portal Display
Authentication Request Processing - EAC
Rules Engine - Criteria
Rules Engine - Authentication
Rules Engine - Authorization

Once these are enabled use the following testing procedure:

Delete the device from NAC
Connect back to the network
Verify the incorrect portal is hit (Take a screenshot)

Then disable diagnostics (Make sure you disable, running these for long periods of time will eat hard disk)

Send in: /var/log/tag.log from the NAC

NAC DB backup
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-backup-a-NAC-Database-or-NAC-Config...

Export the end System events for the end system so we know timestamps/MAC address/IP address
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-export-end-system-events-in-NAC-Man...

Thanks
-Ryan

LeoP1
Contributor
Hi Ryan,

Can you give me some hints on how can I open this case?

If I ask GTAC the "wrong" questions, this could be complicated.

Best regards,
-Leo

Ryan_Yacobucci
Extreme Employee
Hey Leo,

I recommend starting a case with GTAC.

This should be achievable without modification of configuration XML internally on the NAC as this is not a supported procedure.

Thanks
-Ryan

LeoP1
Contributor
Hi guys,
I was scavenging under-the-hood on NAC config file (ApplianceConfiguration.xml) and I found something...

In the configuration written by EMC or Java client, the NOT working rule looks like this:


Unregistered FB iOS
CUSTOM
Unregistered-CP
Social-iOS

true
AUTH_TYPE
AUTH_MAC
false
ANY
false
ANY
false
LOCATION
FB
false
ANY
false
DEVICETYPE
Android
false
Checking the NAC-generated rule i noticed that the entry is not CUSTOM but UNREGISTERED. So I edited manually the ApplianceConfiguration.xml file and changed the attribute to UNREGISTERED, as shown below, and it worked like a charm! Now the selected devices got the right registration portal ("googleless") and all others get the other portal (google included):

Unregistered FB iOS
UNREGISTERED
Unregistered-CP
Social-iOS

true
AUTH_TYPE
AUTH_MAC
false

ANY
false
ANY
false
LOCATION
FB
false
ANY
false
DEVICETYPE
Android
false
The caveat is: after a new enforce, it overwrites the attribute back to CUSTOM

I think the EMC should have an option, in the rule creation screen to select what type of rule you are creating, but it requires a FR and development...

What do you think???

Best regards,
-Leo
GTM-P2G8KFN