NAC Guest Registration - Different portals by Devicetype
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-12-2018 10:18 AM
Hi Guys,
I'm working on a NAC deployment for a customer, and we are having some issues with Guest Registration while using social media authentication. We use Advanced-Location in NAC.
To make it work as the customer asked, we need to use the Autologin from devices (using a browser is supported and better, but it raises issues with certificate errors, almos all sites are now HTTPS and we can't redirect it seamlessly, guests connecting and opening apps instead of browsers, etc)... But there's another issue: The Apple iOS devices WebKit is not allowed for Google auth...
I'm thinking about creating different portals for iOS and Others, where in the iOS portal the Google option should be supressed, but the Unregistered Loc rules can't be modified to choose Device Types.
I've cloned the rule and put it just above the NAC generated Unreg rule, just pointing to another portal, but it doesn't worked: The iOS device is redirected to the new "Googleless" portal, but not to the registration page... It shows a "Your device is registered, you are good to go" and stays in the Unreg-Clone role.
Any ideas?
Best regards,
-Leo
I'm working on a NAC deployment for a customer, and we are having some issues with Guest Registration while using social media authentication. We use Advanced-Location in NAC.
To make it work as the customer asked, we need to use the Autologin from devices (using a browser is supported and better, but it raises issues with certificate errors, almos all sites are now HTTPS and we can't redirect it seamlessly, guests connecting and opening apps instead of browsers, etc)... But there's another issue: The Apple iOS devices WebKit is not allowed for Google auth...
I'm thinking about creating different portals for iOS and Others, where in the iOS portal the Google option should be supressed, but the Unregistered Loc rules can't be modified to choose Device Types.
I've cloned the rule and put it just above the NAC generated Unreg rule, just pointing to another portal, but it doesn't worked: The iOS device is redirected to the new "Googleless" portal, but not to the registration page... It shows a "Your device is registered, you are good to go" and stays in the Unreg-Clone role.
Any ideas?
Best regards,
-Leo
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-13-2018 01:27 PM
Hey Leo,
Check this article out:
https://gtacknowledge.extremenetworks.com/articles/How_To/Create-a-Case-via-New-Portal
You can always reference this hub article to get started.
We will ask you to enable the following debug (Right Click the NAC --> WebView --> Diagnostics --> Appliance/Server Diagnostics):
Captive Portal Display
Authentication Request Processing - EAC
Rules Engine - Criteria
Rules Engine - Authentication
Rules Engine - Authorization
Once these are enabled use the following testing procedure:
Delete the device from NAC
Connect back to the network
Verify the incorrect portal is hit (Take a screenshot)
Then disable diagnostics (Make sure you disable, running these for long periods of time will eat hard disk)
Send in: /var/log/tag.log from the NAC
NAC DB backup
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-backup-a-NAC-Database-or-NAC-Config...
Export the end System events for the end system so we know timestamps/MAC address/IP address
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-export-end-system-events-in-NAC-Man...
Thanks
-Ryan
Check this article out:
https://gtacknowledge.extremenetworks.com/articles/How_To/Create-a-Case-via-New-Portal
You can always reference this hub article to get started.
We will ask you to enable the following debug (Right Click the NAC --> WebView --> Diagnostics --> Appliance/Server Diagnostics):
Captive Portal Display
Authentication Request Processing - EAC
Rules Engine - Criteria
Rules Engine - Authentication
Rules Engine - Authorization
Once these are enabled use the following testing procedure:
Delete the device from NAC
Connect back to the network
Verify the incorrect portal is hit (Take a screenshot)
Then disable diagnostics (Make sure you disable, running these for long periods of time will eat hard disk)
Send in: /var/log/tag.log from the NAC
NAC DB backup
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-backup-a-NAC-Database-or-NAC-Config...
Export the end System events for the end system so we know timestamps/MAC address/IP address
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-export-end-system-events-in-NAC-Man...
Thanks
-Ryan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-13-2018 01:11 PM
Hi Ryan,
Can you give me some hints on how can I open this case?
If I ask GTAC the "wrong" questions, this could be complicated.
Best regards,
-Leo
Can you give me some hints on how can I open this case?
If I ask GTAC the "wrong" questions, this could be complicated.
Best regards,
-Leo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-12-2018 05:26 PM
Hey Leo,
I recommend starting a case with GTAC.
This should be achievable without modification of configuration XML internally on the NAC as this is not a supported procedure.
Thanks
-Ryan
I recommend starting a case with GTAC.
This should be achievable without modification of configuration XML internally on the NAC as this is not a supported procedure.
Thanks
-Ryan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎07-12-2018 03:11 PM
Hi guys,
I was scavenging under-the-hood on NAC config file (ApplianceConfiguration.xml) and I found something...
In the configuration written by EMC or Java client, the NOT working rule looks like this:
Unregistered FB iOS
CUSTOM
Unregistered-CP
Social-iOS
true
AUTH_TYPE
AUTH_MAC
false
ANY
false
ANY
false
LOCATION
FB
false
ANY
false
DEVICETYPE
Android
false
entry is not CUSTOM but UNREGISTERED. So I edited manually the ApplianceConfiguration.xml file and changed the attribute to UNREGISTERED, as shown below, and it worked like a charm! Now the selected devices got the right registration portal ("googleless") and all others get the other portal (google included):
Unregistered FB iOS
UNREGISTERED
Unregistered-CP
Social-iOS
true
AUTH_TYPE
AUTH_MAC
false
ANY
false
ANY
false
LOCATION
FB
false
ANY
false
DEVICETYPE
Android
false
I think the EMC should have an option, in the rule creation screen to select what type of rule you are creating, but it requires a FR and development...
What do you think???
Best regards,
-Leo
I was scavenging under-the-hood on NAC config file (ApplianceConfiguration.xml) and I found something...
In the configuration written by EMC or Java client, the NOT working rule looks like this:
Social-iOS
false
ANY
false
false
false
false
false
Social-iOS
false
ANY
false
false
false
false
false
I think the EMC should have an option, in the rule creation screen to select what type of rule you are creating, but it requires a FR and development...
What do you think???
Best regards,
-Leo
