We are in the process of migrating from WC4110 controllers to C35 controllers. We use NAC to authenticate the users against AD. This works perfectly on the older controllers. However, not working so well on the new controllers. Apparently there is a minor change needed to get the authentication working correctly.
For the WC4110, we have them set up in a NAC appliance group:
Switch type: Layer 2 O-O-B
Primary gateway:
Secondary gateway: none
Auth Access Type: Network Access
Gateway RADIUS Attributes to Send: Extreme IndentiFi Wireless
The rule is set as follows:
Authentication method: 802.1x
User group: LDAP-USERS
End-system group: Any
Device Type Group: Any
Location group: ENTERPRISE (this is the name of the VNS on the controller)
Time group: Any
Profile: ENTERPRISE_BYOD
Portal: Default
This works perfectly with our old controller. The users authenticate via 802.1x, LDAP lookup works, they come back and hit the right rule on the NAC and the correct role is returned to the controller.
However, with this same setup in the NAC for the C35, it does not correctly identify the location group and the rule fails, thus returning the default profile rather than ENTERPRISE_BYOD which is what we want.
I believe this is related to how the C35 switch entry is defined on the NAC. I believe the C35 must need a different setup for the Auth Access Type and Gateway RADIUS Attributes to Send fields than how it is defined for the WC4110.
I realize that's somewhat confusing so if you need more info please ask.
For the WC4110, we have them set up in a NAC appliance group:
Switch type: Layer 2 O-O-B
Primary gateway:
Secondary gateway: none
Auth Access Type: Network Access
Gateway RADIUS Attributes to Send: Extreme IndentiFi Wireless
The rule is set as follows:
Authentication method: 802.1x
User group: LDAP-USERS
End-system group: Any
Device Type Group: Any
Location group: ENTERPRISE (this is the name of the VNS on the controller)
Time group: Any
Profile: ENTERPRISE_BYOD
Portal: Default
This works perfectly with our old controller. The users authenticate via 802.1x, LDAP lookup works, they come back and hit the right rule on the NAC and the correct role is returned to the controller.
However, with this same setup in the NAC for the C35, it does not correctly identify the location group and the rule fails, thus returning the default profile rather than ENTERPRISE_BYOD which is what we want.
I believe this is related to how the C35 switch entry is defined on the NAC. I believe the C35 must need a different setup for the Auth Access Type and Gateway RADIUS Attributes to Send fields than how it is defined for the WC4110.
I realize that's somewhat confusing so if you need more info please ask.
OK, in the controller on the Wirless Services click on the NAC that you've selected (NAC1 in my case - the field changes to gray) and then you'd click on RADIUS TLVs to configure which additional information the controller should send in the RADIUS request.
Normaly I choose VNS Name, AP Name, SSID but you'd check what is set on the 4110 pair.
Here my example...
Normaly I choose VNS Name, AP Name, SSID but you'd check what is set on the 4110 pair.
Here my example...
