Extreme Networks

Ilya_Semenov · ‎05-22-2018

Hello, team,

I have Netsight (7.1.1.9), NAC (7.1.1.9) and V2110 (10.43) installation. Both NAC and V2110 were added to Netsight console using SNMP v3 and they are OK (green).

Now I try to configure wireless users authorization through the NAC.

The problem is wireless clients are not shown in NAC's End-Systems tab, but they are in Wireless tab. When they connect to SSID they get TO NAC's portal interface, then they pass authorization with they AD credentials and then NAC freezes with Endless registration. Experienced guys say: bring you clients to NAC's End-Systems tab first. How? They don't appear there.

What most likely could be the problem?

Many thanks in advance,
Ilya

Keene__Scott · ‎05-23-2018

Hello,

It may be easier if you contact the GTAC via phone to troubleshot this but NAC learns usernames from 802.1x or from a Captive Portal login (and in some cases via Kerberos). If the user in NAC has an Authentication Type of MAC Auth and the user did not login/register via NAC's Captive Portal yet, then there will be no username.

If the user "is" authentciaetd in NAC (RADIUS) and you see that user in the Report on the wireless controller, be sure the Unregistered Role is assigned All access to the network and to NAC is then dictated by the Role's polices and the Topology of the VNS etc.

Regards,

Scott Keene
NMS/NAC Support

Ilya_Semenov · ‎05-23-2018

Hello, Yury,

well, we are almost done. Many thanks to you and Bartek.

I've added V2110 to Switches tab in NAC
Corrected time on V2110 and NAC - now it's the same
Changed V2110 interface to esa0

Now I have clients in NAC's End-Systems!!!! But without UserNames, just IPs, MACs and Device Types

Also,Clients are unable to access any resources, even gateway and NAC's address where authorization page is located. May be I should change something in ROles in V2110?

NOw i have:

...and...

In Radius Log on NAC I have:

(9362) --- Request VPs ---
(9362) User-Name = "446D572C278E"
(9362) User-Password = ****************
(9362) NAS-IP-Address = 127.0.0.1
(9362) NAS-Port = 101
(9362) NAS-Port-Type = Wireless-Other
(9362) NAS-Identifier = "SupportVO"
(9362) Siemens-AP-Serial = "15141805085D0000"
(9362) Siemens-AP-Name = ****************
(9362) Siemens-VNS-Name = "SupportVO"
(9362) Siemens-SSID = "SupportVO"
(9362) Siemens-BSS-MAC = "D88466272BF8"
(9362) Siemens-Policy-Name = "Non Authenticated"
(9362) Siemens-Topology-Name = "Bridged at AP untagged"
(9362) Calling-Station-Id = "446D572C278E"
(9362) Called-Station-Id = "D88466272BF8"
(9362) Acct-Session-Id = "M1a00fbb90002"
Thu May 24 15:07:13 2018 : Debug: (9362) [etsnac connection_mgr] Using authentication server connection ID: 31.
Thu May 24 15:07:13 2018 : Info: (9362) [etsnac connection_mgr] AAA Response [ID: 9362, Command: Replace Response Attributes(0x27)]
(9362) Filter-Id := "Enterasys:version=1:policy=Unregistered"
(9362) Login-LAT-Port := "0"
Thu May 24 15:07:13 2018 : Debug: (9362) [etsnac connection_mgr] Releasing authentication server connection ID: 31.
Thu May 24 15:07:13 2018 : Debug: (9362) [etsnac] The AAA server says to replace the response attributes.
Thu May 24 15:07:13 2018 : Debug: (9362) modsingle[post-auth]: returned from etsnac (rlm_etsnac) for request 9362
Thu May 24 15:07:13 2018 : Debug: (9362) [etsnac] = updated
Thu May 24 15:07:13 2018 : Debug: (9362) } # post-auth = updated
Thu May 24 15:07:13 2018 : Debug: (9362) Sent Access-Accept Id 183 from 192.168.1.200:1812 to 192.168.1.111:40884 length 0
Thu May 24 15:07:13 2018 : Debug: (9362) Filter-Id := "Enterasys:version=1:policy=Unregistered"
Thu May 24 15:07:13 2018 : Debug: (9362) Login-LAT-Port := "0"
Thu May 24 15:07:13 2018 : Debug: (9362) Finished request
Thu May 24 15:07:13 2018 : Debug: Thread 2 waiting to be assigned a request
Thu May 24 15:07:14 2018 : Debug: (9357) Cleaning up request packet ID 178 with timestamp +60856
Thu May 24 15:07:14 2018 : Debug: Waking up in 0.8 seconds.
Thu May 24 15:07:14 2018 : Debug: Waking up in 0.2 seconds.
Thu May 24 15:07:14 2018 : Debug: Thread 4 got semaphore
Thu May 24 15:07:14 2018 : Debug: Thread 4 handling request 9363, (1873 handled so far)
Thu May 24 15:07:14 2018 : Debug: (9363) Received Access-Request Id 184 from 192.168.1.111:60091 to 192.168.1.200:1812 length 281
Thu May 24 15:07:14 2018 : Debug: (9363) User-Name = "446D572C278E"
Thu May 24 15:07:14 2018 : Debug: (9363) User-Password = "\366\362\245\000\224\ts\247\024\341u@\240\330u\222"
Thu May 24 15:07:14 2018 : Debug: (9363) NAS-IP-Address = 127.0.0.1
Thu May 24 15:07:14 2018 : Debug: (9363) NAS-Port = 101
Thu May 24 15:07:14 2018 : Debug: (9363) NAS-Port-Type = Wireless-Other
Thu May 24 15:07:14 2018 : Debug: (9363) NAS-Identifier = "SupportVO"
Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-AP-Serial = "15141316085D0000"
Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-AP-Name = "15141316085D0000"
Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-VNS-Name = "SupportVO"
Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-SSID = "SupportVO"
Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-BSS-MAC = "D88466270D68"
Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-Policy-Name = "Non Authenticated"
Thu May 24 15:07:14 2018 : Debug: (9363) Siemens-Topology-Name = "Bridged at AP untagged"
Thu May 24 15:07:14 2018 : Debug: (9363) Calling-Station-Id = "446D572C278E"
Thu May 24 15:07:14 2018 : Debug: (9363) Called-Station-Id = "D88466270D68"
Thu May 24 15:07:14 2018 : Debug: (9363) Acct-Session-Id = "M1a00fc190002"
Thu May 24 15:07:14 2018 : Debug: (9363) session-state: No State attribute
Thu May 24 15:07:14 2018 : Debug: (9363) # Executing section authorize from file /opt/nac/radius/raddb/sites-enabled/nac-server
Thu May 24 15:07:14 2018 : Debug: (9363) authorize {
Thu May 24 15:07:14 2018 : Debug: (9363) update control {
Thu May 24 15:07:14 2018 : Debug: (9363) EXPAND %{Calling-Station-Id}
Thu May 24 15:07:14 2018 : Debug: (9363) --> 446D572C278E
Thu May 24 15:07:14 2018 : Debug: (9363) Load-Balance-Key = 446D572C278E
Thu May 24 15:07:14 2018 : Debug: (9363) } # update control = noop
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling etsnac (rlm_etsnac) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] *NOT* Continuing proxied conversation, skipping...
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Generated MAC 446d572c278e from Calling-Station-Id: 446D572C278E
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found username from: User-Name: 446D572C278E
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found User-Password attribute: 2, setting auth type to: PAP
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found switch ip from: NAS-IP-Address: 127.0.0.1
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Unable to fine existing NAC request manager instance.
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Making a new request to the AAA server for request ID: 9363
Thu May 24 15:07:14 2018 : Info: (9363) [etsnac connection_mgr] AAA Request [ID: 9363, Source IP: 192.168.1.111, Command: Authenticate & Authorize Request(0x02)]
(9363) --- Request VPs ---
(9363) User-Name = "446D572C278E"
(9363) User-Password = ****************
(9363) NAS-IP-Address = 127.0.0.1
(9363) NAS-Port = 101
(9363) NAS-Port-Type = Wireless-Other
(9363) NAS-Identifier = "SupportVO"
(9363) Siemens-AP-Serial = "15141316085D0000"
(9363) Siemens-AP-Name = ****************
(9363) Siemens-VNS-Name = "SupportVO"
(9363) Siemens-SSID = "SupportVO"
(9363) Siemens-BSS-MAC = "D88466270D68"
(9363) Siemens-Policy-Name = "Non Authenticated"
(9363) Siemens-Topology-Name = "Bridged at AP untagged"
(9363) Calling-Station-Id = "446D572C278E"
(9363) Called-Station-Id = "D88466270D68"
(9363) Acct-Session-Id = "M1a00fc190002"
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac connection_mgr] Using authentication server connection ID: 31.
Thu May 24 15:07:14 2018 : Info: (9363) [etsnac connection_mgr] AAA Response [ID: 9363, Command: Accept User(0x22)]
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac connection_mgr] Releasing authentication server connection ID: 31.
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Unable to fine existing NAC request manager instance.
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] The AAA server says to accept the request.
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from etsnac (rlm_etsnac) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] = ok
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling chap (rlm_chap) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from chap (rlm_chap) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [chap] = noop
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling mschap (rlm_mschap) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from mschap (rlm_mschap) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [mschap] = noop
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling eap (rlm_eap) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) eap: No EAP-Message, not doing EAP
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from eap (rlm_eap) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [eap] = noop
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: calling pap (rlm_pap) for request 9363
Thu May 24 15:07:14 2018 : WARNING: (9363) pap: Auth-Type already set. Not setting to PAP
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[authorize]: returned from pap (rlm_pap) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [pap] = noop
Thu May 24 15:07:14 2018 : Debug: (9363) } # authorize = ok
Thu May 24 15:07:14 2018 : Debug: (9363) Found Auth-Type = Accept
Thu May 24 15:07:14 2018 : Debug: (9363) Auth-Type = Accept, accepting the user
Thu May 24 15:07:14 2018 : Debug: (9363) # Executing section post-auth from file /opt/nac/radius/raddb/sites-enabled/nac-server
Thu May 24 15:07:14 2018 : Debug: (9363) post-auth {
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[post-auth]: calling etsnac (rlm_etsnac) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] Processing Response-Packet-Type Access-Accept(2)
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] Not running EAP-TLS User-Name replacement for non EAP authentication
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Generated MAC 446d572c278e from Calling-Station-Id: 446D572C278E
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found username from: User-Name: 446D572C278E
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found User-Password attribute: 2, setting auth type to: PAP
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac nac_request_mgr] Found switch ip from: NAS-IP-Address: 127.0.0.1
Thu May 24 15:07:14 2018 : Info: (9363) [etsnac connection_mgr] AAA Request [ID: 9363, Source IP: 192.168.1.111, Command: Post Authorize Request(0x03)]
(9363) --- Request VPs ---
(9363) User-Name = "446D572C278E"
(9363) User-Password = ****************
(9363) NAS-IP-Address = 127.0.0.1
(9363) NAS-Port = 101
(9363) NAS-Port-Type = Wireless-Other
(9363) NAS-Identifier = "SupportVO"
(9363) Siemens-AP-Serial = "15141316085D0000"
(9363) Siemens-AP-Name = ****************
(9363) Siemens-VNS-Name = "SupportVO"
(9363) Siemens-SSID = "SupportVO"
(9363) Siemens-BSS-MAC = "D88466270D68"
(9363) Siemens-Policy-Name = "Non Authenticated"
(9363) Siemens-Topology-Name = "Bridged at AP untagged"
(9363) Calling-Station-Id = "446D572C278E"
(9363) Called-Station-Id = "D88466270D68"
(9363) Acct-Session-Id = "M1a00fc190002"
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac connection_mgr] Using authentication server connection ID: 31.
Thu May 24 15:07:14 2018 : Info: (9363) [etsnac connection_mgr] AAA Response [ID: 9363, Command: Replace Response Attributes(0x27)]
(9363) Filter-Id := "Enterasys:version=1:policy=Unregistered"
(9363) Login-LAT-Port := "0"
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac connection_mgr] Releasing authentication server connection ID: 31.
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] The AAA server says to replace the response attributes.
Thu May 24 15:07:14 2018 : Debug: (9363) modsingle[post-auth]: returned from etsnac (rlm_etsnac) for request 9363
Thu May 24 15:07:14 2018 : Debug: (9363) [etsnac] = updated
Thu May 24 15:07:14 2018 : Debug: (9363) } # post-auth = updated
Thu May 24 15:07:14 2018 : Debug: (9363) Sent Access-Accept Id 184 from 192.168.1.200:1812 to 192.168.1.111:60091 length 0
Thu May 24 15:07:14 2018 : Debug: (9363) Filter-Id := "Enterasys:version=1:policy=Unregistered"
Thu May 24 15:07:14 2018 : Debug: (9363) Login-LAT-Port := "0"
Thu May 24 15:07:14 2018 : Debug: (9363) Finished request
Thu May 24 15:07:14 2018 : Debug: Thread 4 waiting to be assigned a request
Thu May 24 15:07:15 2018 : Debug: (9358) Cleaning up request packet ID 179 with timestamp +60857

Ostrovsky__Yury · ‎05-23-2018

Btw, did you add .1.111 as a switch on NAC? For some reason your NAac complains that it does not recognize this IP address. That should be your NAS

Ostrovsky__Yury · ‎05-23-2018

Correct. If you have Admin port and using is somehow, make sure you route your radius packer correctly. The easiest way is just to stop using admin port at all - just put back the default IP on admin port, and manage your appliance from data port. Otherwize you need to fix the routing table on the controller.

Ilya_Semenov · ‎05-23-2018

You are right, 192.168.1.111 this is esa0 port. I want EWC and NAC interacting excactly from this port. ADmin port should not be used. Is it possible?

Extreme Networks

Connected wireless clients are not shown in NAC's End-Systems

Connected wireless clients are not shown in NAC's End-Systems