cancel
Showing results for 
Search instead for 
Did you mean: 

Connected wireless clients are not shown in NAC's End-Systems

Connected wireless clients are not shown in NAC's End-Systems

Ilya_Semenov
Contributor
Hello, team,

I have Netsight (7.1.1.9), NAC (7.1.1.9) and V2110 (10.43) installation. Both NAC and V2110 were added to Netsight console using SNMP v3 and they are OK (green).

Now I try to configure wireless users authorization through the NAC.

The problem is wireless clients are not shown in NAC's End-Systems tab, but they are in Wireless tab. When they connect to SSID they get TO NAC's portal interface, then they pass authorization with they AD credentials and then NAC freezes with Endless registration. Experienced guys say: bring you clients to NAC's End-Systems tab first. How? They don't appear there.

What most likely could be the problem?

Many thanks in advance,
Ilya

34 REPLIES 34

Ron, I am not following you...

What additional step you are talking about?

University students and staff have to input their credentials manually on NAC portal by hands, SSO is not needed. They have to see portal interface and links on it.

Sense of your rule is not clear for me, I just make my first steps with NAC.

Thank you...

Nope no joke....

My question is whether this additional step is needed.
I also use NAC to authenticate my internal/staff clients but why via a portal if username/password authentication is build into the client = 802.1X PEAP via NAC/LDAP.

I'd unterstand if you'd like to authenticate older devices that sometimes don't support PEAP and then choose a portal or for guest portal access but not if the clients support PEAP and they are internal/staff = in the AD.

I.e. my rule....

390fbc1794b54bdea46eeae09c4c7aeb_RackMultipart20180525-113105-6ba191-NAC_rule_PEAP_inline.png


Only a user with 802.1X auth, in the AD group WLAN, in the MAC list Ron, on the SSID Secure Access is able to get this Policy/Role and is able to connect.

The use of 802.1X also makes sure that the connection AP<->Client is encrypted.

Could be that I don't unterstand the design requirement - that was the reason for my question.

Ron, are you kidding?

The main goal is to sell NAC.

Now the customer has a beautiful web page on Fortigate, where users input their AD credentials. It is impossible to create it on V2110. IMPOSSIBLE.

Ostrovsky__Yury
Extreme Employee
The easiest way is to enable diagnostic. Go to web page of nac , port 8443. The creds please check via old java app. Then go to diagnostic, enable things related to radius. The output check at /var/log/radius/radius.log. I am sure the problem will be obvious from there.

You should be getting email by now. Let me know if not.
GTM-P2G8KFN