This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Port-based Web Guest Access in ExtremeControl

Port-based Web Guest Access in ExtremeControl

gerivives
New Contributor II

a week ago

Hello,

I am trying to configure Web Guest Access by leveraging ExtremeControl--for a set of ports in a specific switch. However, I believe I do not have a clear picture of how it should be working.

The Unregistered role is contained to VLAN 2011, while Guest Access to VLAN 2010. I understand the users will connect and be assigned to VLAN 2011 and once authenticated (or when they have accepted the use policy) they will be placed on VLAN 2010. I have already configured the portal itself to allow for Web Guest Access. 

Captura de pantalla 2024-09-10 104606.png

 

If I am not mistaken, the next step would consist in enabling Web-based authentication in the corresponding ports of the switch (and the device itself) by going to Control -> Policy -> Devices/Port Groups -> right click on the switch -> Authentication. When I try to enable Web-based auth and save the configuration, the changes do not take effect (the previous configuration remains). As you can see in the image below, I am enabling 802.1X and Web-based authentication for the switch.

Captura de pantalla 2024-09-10 105046.png

 In the Web authentication settings tab, is any configuration necessary? I am not sure I understand the purpose of that tab. Apart from the portal configuration and these device authentication steps, is there any other requirement? I do not see how a device will connect to a switch and it will be assigned to the Unregistered VLAN to access the captive portal if 802.1X is enabled simultaneously on the port, etc.

The product guide has not been very useful in figuring out this behaviour. Any help would be greatly appreciated.

Thanks,

0 Kudos
4 REPLIES 4

Bartek
New Contributor III

a week ago

Hi,

EAC is using only MAC authentication from the switch side (Web-based auth in switch is not required). Your just need to configure in "Unregistered" role in Policy Manager default action to "URL Redirection" (works for EXOS/Switch Engine and on-prem XIQ Controllers) and enable a minimum access privileges for user (only ARP + DHCP Client + DNS + HTTP/HTTPS to EAC engines).

Changing IP address for wired users is quite tricky and from my experience very inconvenient - better IMO use this same VLAN and address space for Unregistered and Guest Access and use Policy rules to set up a correct network access control.

If you need any assistance or you find some other problems send me a PM

gerivives
New Contributor II
In response to Bartek

a week ago

Bartek,

Thanks for your reply. I have followed the steps you mentioned and I am getting to the end. I have set both the Unregistered and Guest Access roles to be contained to the same VLAN, where there is a Fortigate acting as DHCP server. I have configured both 802.1X and MAC Authentication for guest and enterprise access, respectively.

The VLAN for guests and unregistered users has the VID 2010 and maps to the subnet 10.2.10.0/24. If I go to the authenticated users for a switch I can see the following information:

  • Status active
  • MAC authentication
  • Unregistered role
  • Default VID: Contain to VLAN 2010
  • Authentication Successful

There is however one thing which does not sound right. The IP address, refering to the user, is 10.2.5.14, which does not correspond to the subnet for VLAN 2010. In fact, if I go to the PC the IP assigned by the DHCP server is 10.2.10.10. The IP 10.2.5.0/24 is used for VLAN 2005, which is the one used to remotely access the switch (management) as well as for enterprise access (802.1X). I cannot find what may be the problem since the policy for that user is correct and the role has the appropriate VLAN mapped too.

URL redirection has also been configured in the switch. However, the user is not being redirected and even when manually going to the page, the request guest access option is not working (stays loading for long and then shows an error message.). I firmly believe this may be due to the fact that the IP for the user in the NAC does not match with the user's. 

Thanks,

 

0 Kudos

Bartek
New Contributor III
In response to gerivives

a week ago

Hi,

It looks that you have this VLAN 2005 configured statically on this port. To confirm show me result for command:

show vlan ports <YOUR_PORT>

If you find this VLAN in port settings then just remove it. It's common practice to configure statically quarantine VLAN for ports with MAC authentication enabled  

0 Kudos

gerivives
New Contributor II
In response to Bartek

a week ago - last edited a week ago

Bartek,

Unfortunately, this is not the case. When the PC authenticates, it is assigned to VLAN_Guest (2010) with an IP address from that pool and the port configured as untagged, which is the expected behavior. No other VLANs are configured on the port.

The Unregistered role is configured to be contained to VLAN_Guest (2010) not VLAN_Enterprise (2005). As I said, the IP that is showing up in the User sessions tab corresponds to VLAN_Enterprise not VLAN_Guest. Previously, the port was used with that same PC with 802.1X auth and the IP it had was the one that is showing up now. I have tried terminating all sessions but the result has been the same.

If using another port--that has never been used--the result is different. The user session shows up with the same properties as before but no IP address is shown, despite the device receiving one. The portal states that MAC to IP address resolution failed using SNMP, NetBIOS and DHCP. The behavior when it comes to registering is still the same, the portal stays loading until the "There was a problem connecting to the network" error shows up. The role of the user does not change in Site Engine and the session remains up.

When it comes to the portal the config is extremely simple:

  • For Guest settings, Web Guest Access has been configured.
  • The Guest web access config tab is configured to NOT use any authentication method such as Facebook or Google.

I have checked the logs in the switch but found nothing relevant.

Gerard

0 Kudos
GTM-P2G8KFN