This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Wireless Controller integration with NAC

Wireless Controller integration with NAC

Andre_Brits_Kan
Contributor II

‎07-08-2015 07:32 PM

Hi
We are running a C5210 controller with V9.15.07.0008 and NMS V6.2.0.199
We have a IA-A-20 NAC appliance also deployed.
We have 2 different VNS's configured, one for the production environment and one for Public internet access.

The configuration of two VNS's is as follows:
  1. Production VNS
  • Configured to use 802.1x Authentication
  • 802.1x Authentication utilizes a Microsoft NPS server for authentication
  • VNS utilizes a "Bridge @ AP" topology
2. Public Internet VNS
  • Configured to use Mac Authentication
  • MAC Authentication utilizes the NAC Appliance server for authentication
  • VNS utilizes a "Bridge @ EWC
  • DHCP is provided by Service Provider
  • The Public Internet Topology interface is configured with a IP address in the Service provider network
  • NAC integration is enabled with the IP address of the NAC appliance configured.
If we look in NAC Manager and select "All NAC Appliances" we notice that the "End Systems" tab lists all wireless clients, including the Production clients.
If we select the individual NAC appliance it only shows the "End systems" connected to the "Public Internet VNS. We are also missing device type information but the IP's resolve

So now for the questions:

  1. Why do we see the Production clients in NAC Manager as "End systems" even though the Production VNS is not configured to use the NAC at all for authentication?
  2. Does the Production "End systems" count towards my "End system" license?
  3. Oneview reports the total unique users as the total of both the Production and Public Internet "End systems" we would only like to see the "Public internet" End systems.
When we deploy the same solution but on older code versions (C5210 = V9.01.02.0017 and NMS 6.1.0.135) we only see the "End systems" for the "Public Internet" and NAC also reports on the Device types ect.

This question should probably go to GTAC but i thought lets ask the community first.... 😉

2 REPLIES 2

Ryan_Yacobucci
Extreme Employee

‎07-10-2015 10:36 AM

Hello,

This is a new behavior with NetSight 6.2. NetSight NAC Manager will now populate the end systems table with Wireless client events if they are sent to NetSight.

Please check out the following article:

https://gtacknowledge.extremenetworks.com/articles/Solution/Seeing-Non-NAC-End-Systems-in-NAC-Manage...

These End Systems are not authenticated, so they do not count towards your End System License count.

Let me know if you have any additional questions.

Thanks
-Ryan
0 Kudos

Ronald_Dvorak
Honored Contributor

‎07-08-2015 08:20 PM

Hi,

I've run into the same "problem" that I'd see clients from another cloud controller even that one isn't aware of the NAC - so it seems that by integrating the controller into Netsight Console & OneView that NAC will show the clients.

The only thing that I'd contribute to your post is the "device type" issue of your second VNS.
You need to forward the DHCP request also to the NAC.
There are some options - not sure which one is the right one in your deployment.
- if you use routed/bridge@EWC and DHCP relay = add the ISP DHCP and NAC IP
- if bridge@EWC and there is a router in between you'd configure DHCP helper to foward it to the ISP&NAC

-Ron
0 Kudos
GTM-P2G8KFN