Extreme Networks

Scott_Van_Arts1 · ‎10-28-2016

We are in the process of migrating from WC4110 controllers to C35 controllers. We use NAC to authenticate the users against AD. This works perfectly on the older controllers. However, not working so well on the new controllers. Apparently there is a minor change needed to get the authentication working correctly.

For the WC4110, we have them set up in a NAC appliance group:

Switch type: Layer 2 O-O-B
Primary gateway:
Secondary gateway: none
Auth Access Type: Network Access
Gateway RADIUS Attributes to Send: Extreme IndentiFi Wireless

f51efe35a52245a198c8711224d0cf77_RackMultipart20161028-102485-1ir54be-nac-radius_inline.png

The rule is set as follows:
Authentication method: 802.1x
User group: LDAP-USERS
End-system group: Any
Device Type Group: Any
Location group: ENTERPRISE (this is the name of the VNS on the controller)
Time group: Any
Profile: ENTERPRISE_BYOD
Portal: Default

f51efe35a52245a198c8711224d0cf77_RackMultipart20161028-51278-8fo41o-nac-rule_inline.png

This works perfectly with our old controller. The users authenticate via 802.1x, LDAP lookup works, they come back and hit the right rule on the NAC and the correct role is returned to the controller.

However, with this same setup in the NAC for the C35, it does not correctly identify the location group and the rule fails, thus returning the default profile rather than ENTERPRISE_BYOD which is what we want.

I believe this is related to how the C35 switch entry is defined on the NAC. I believe the C35 must need a different setup for the Auth Access Type and Gateway RADIUS Attributes to Send fields than how it is defined for the WC4110.

I realize that's somewhat confusing so if you need more info please ask.

Ronald_Dvorak · ‎10-31-2016

Give me a sec I think I know what is going wrong - need to fire up my controller.

Scott_Van_Arts1 · ‎10-31-2016

The config evaluation tool kind of tells me what I was already starting to think. That the data being passed back from the new controller isn't the same as what's being passed back from the old controller.

Here is where the NAC says I am failing the rule:

PASSED: The Device Type of: MAC Address: AC:37:43:4A:B2:79, IP Address: 10.147.16.52, Host Name: android-ef3622142e1ba508 passes the any criteria evaluation.

PASSED: The User: svanarts has LDAP attributes that match the ones defined in LDAP User Group: SJGH-LDAP-USERS.

FAILED: The Switch IP of: 10.140.20.14, Port: SJGH-ENTERPRISE, SSID: null, AP Name: null, AP MAC: null, AP Serial: null and AP Zone or Group: null and AP Location: null did not match this inclusive criteria.

Compare that with the old controller where I am passing the rule:

PASSED: The User: svanarts has LDAP attributes that match the ones defined in LDAP User Group: SJGH-LDAP-USERS.

PASSED: The Switch IP of 10.140.20.10, SSID: SJGH, AP Name: AP-272 MedStaff-Copy-Room-113, AP MAC: 20-B3-99-B6-7F-29, AP Serial: 13411855595D0000 and AP Zone or Group: null and AP Location: null did match this inclusive criteria.

PASSED: The Time of: Monday, October 31, 2016 8:55:47 AM PDT passes the any criteria evaluation.
PASSED: The Operating System Name of: passes the any criteria evaluation.

So on the new controller I am not seeing the SSID or AP Name being passed back from the controller to the NAC.

Bill_Handler · ‎10-31-2016

Scott,

Can you double-check the RADIUS set up on your C35 and post a screenshot? There was a bug in v10 of the wireless firmware so when adding a controller, the RADIUS server info was corrupted. Just want to make sure that did not bite you.

Scott_Van_Arts1 · ‎10-31-2016

Sure, here you go. Radius from the old controller:

And radius from the new controller:

Ronald_Dvorak · ‎10-28-2016

Could you please post a screenshot of the location group settings.

Extreme Networks

NAC RADIUS attributes for C35 controller running 10.01.04.0011

NAC RADIUS attributes for C35 controller running 10.01.04.0011