We are in the process of migrating from WC4110 controllers to C35 controllers. We use NAC to authenticate the users against AD. This works perfectly on the older controllers. However, not working so well on the new controllers. Apparently there is a minor change needed to get the authentication working correctly.
For the WC4110, we have them set up in a NAC appliance group:
Switch type: Layer 2 O-O-B
Primary gateway:
Secondary gateway: none
Auth Access Type: Network Access
Gateway RADIUS Attributes to Send: Extreme IndentiFi Wireless
The rule is set as follows:
Authentication method: 802.1x
User group: LDAP-USERS
End-system group: Any
Device Type Group: Any
Location group: ENTERPRISE (this is the name of the VNS on the controller)
Time group: Any
Profile: ENTERPRISE_BYOD
Portal: Default
This works perfectly with our old controller. The users authenticate via 802.1x, LDAP lookup works, they come back and hit the right rule on the NAC and the correct role is returned to the controller.
However, with this same setup in the NAC for the C35, it does not correctly identify the location group and the rule fails, thus returning the default profile rather than ENTERPRISE_BYOD which is what we want.
I believe this is related to how the C35 switch entry is defined on the NAC. I believe the C35 must need a different setup for the Auth Access Type and Gateway RADIUS Attributes to Send fields than how it is defined for the WC4110.
I realize that's somewhat confusing so if you need more info please ask.
For the WC4110, we have them set up in a NAC appliance group:
Switch type: Layer 2 O-O-B
Primary gateway:
Secondary gateway: none
Auth Access Type: Network Access
Gateway RADIUS Attributes to Send: Extreme IndentiFi Wireless
The rule is set as follows:
Authentication method: 802.1x
User group: LDAP-USERS
End-system group: Any
Device Type Group: Any
Location group: ENTERPRISE (this is the name of the VNS on the controller)
Time group: Any
Profile: ENTERPRISE_BYOD
Portal: Default
This works perfectly with our old controller. The users authenticate via 802.1x, LDAP lookup works, they come back and hit the right rule on the NAC and the correct role is returned to the controller.
However, with this same setup in the NAC for the C35, it does not correctly identify the location group and the rule fails, thus returning the default profile rather than ENTERPRISE_BYOD which is what we want.
I believe this is related to how the C35 switch entry is defined on the NAC. I believe the C35 must need a different setup for the Auth Access Type and Gateway RADIUS Attributes to Send fields than how it is defined for the WC4110.
I realize that's somewhat confusing so if you need more info please ask.
So here a example if you run the evalution tool (description above) and the rule fails because of a missmatch in the location group = request from the wrong IP.
In the top section you'd see the source information of the request.
Could you check/post that so we'd make sure that the request is coming from .14/.15 with the correct parameters.
In the top section you'd see the source information of the request.
Could you check/post that so we'd make sure that the request is coming from .14/.15 with the correct parameters.
Sure thing. There are 4 switch entries here. My two old controllers .10 and .11, and my new C35's .14 and .15. This rule works as intended with .10 and 11 but does not trigger with .14 and 15 and so the users are authenticated against our default-catchall rule rather than this one as they should be.
Hi Scott,
you'd check why a rule doesn't hit.
Right click on the client and select "configuration evaluation tool" and then in the next window click on "run evalution" - click on the rule for details - could you please post the output so we'd take a look.
-Ron
you'd check why a rule doesn't hit.
Right click on the client and select "configuration evaluation tool" and then in the next window click on "run evalution" - click on the rule for details - could you please post the output so we'd take a look.
-Ron
