This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RADIUS management authentication on XMC / XIQ / Control 21.11.11.37 with ms-chap

RADIUS management authentication on XMC / XIQ / Control 21.11.11.37 with ms-chap

DominicS
New Contributor

‎03-10-2022 06:43 AM

Hi Ryan

 

Thanks a lot for your reply / this information.

 

> Which protocols have you tried at this point?

I tried CHAP and PEAP-msCHAPv2.

 

> If you have NTLM authentication set can you also confirm you have successfully joined the AD and that winbindd is running with correct trust secret?

I did check it now, and there is an error:

 

could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE

could not obtain winbind domain name!

checking the trust secret for domain (null) via RPC calls failed

failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE

Could not check secret

 

Will try to figure this out and fix it.

 

For the moment, thanks for this hint!

 

Best regards

Dominic

 

0 Kudos
2 REPLIES 2

Ryan_Yacobucci
Extreme Employee

‎03-12-2022 01:35 PM

Hello,

I set it up using XCC controller using MS-CHAPV2 authentication: 

31beee3fa08b48d8ad6414d976454b98.png
Make sure your Control AAA configuration has a line to handle either "Management" auth type or "*": 

422f51318ffe4f19af736bded03a183a.png
Then make sure there is a rule that provides the correct authorization string for management access: 

b62a76f8847d44d69f85240d6e4d63ea.png

f9b1732153804b528862f482e2ac9a0c.png

When you set the AAA line up for "LDAP Authentication" NAC should attempt to join the domain controller on enforce, it will also attempt to join on services restart:

You can check the /var/log/tag.log to see if there was a domain join failure or success: 
b8bd942cf4ea4a1a86b7e18a9616cad4.png
If domain join fails, check permissions: 

https://extremeportal.force.com/ExtrArticleDetail?an=000090980


You can check the status of the management login if you go to Alarms/Events  --> Type Access Control/NAC

916e3c61a1974ec69ebc610ff1e5780c.png

Let me know if any of this helps.

Thanks
-Ryan

0 Kudos

DominicS
New Contributor
In response to Ryan_Yacobucci

‎03-30-2022 04:25 AM

Hi Ryan

sorry for letting you wait on this topic, but for the moment: thanks a lot for your detailed help.

I was not yet able to analyze / test it, but wanted to get sure you got the appreciation you deserve 🙂

I will keep the post updated, as soon as I can find the time to test it.

Best regards
Dominic
0 Kudos
GTM-P2G8KFN