This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (General)
- Load Balancing 802.1x RADIUS traffic to NAC.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Load Balancing 802.1x RADIUS traffic to NAC.
Load Balancing 802.1x RADIUS traffic to NAC.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-17-2014 05:46 PM
Hi there,
I'm having some issues using LSNAT load balancing with 802.1x RADIUS requests on the S Series or N Series to some NAC appliances at the back end.
With my client switch configured to send RADIUS requests to the VIP address on the S Series, 802.1x auth fails, but MAC auth is fine. The LSNAT load balancing is configured with four NAC appliances as real servers, though only one is "in service" to aid troubleshooting at the moment.
The VIP address of the load balancers are configured as load balancers in NAC manager.
With my client switch configured to send RADIUS requests direct to real IP address of the single NAC appliance the load balancer was configured to use, 802.1x and MAC auth are successful.
I've tried this using B series and D series as client switches, and tried the same LSNAT configuration on the S Series and N Series with identical results. When using the VIP address, 802.1x fails but MAC auth is fine.
NAC Manager shows the following error message when 802.1x auth fails:
“Authentication request became stale, challenge sent, no response received from client (switch 192.168.132.115/end-system).”
Wireshark proves no packets are being dropped between NAC and switch. The final challenge (before the failure) that is sent out by NAC reaches the uplink port on the switch.
It appears that the EAP-TLS communication between client PC and NAC is breaking down some how.
Has anyone has seen similar issues?
Thanks,
Mark.
I'm having some issues using LSNAT load balancing with 802.1x RADIUS requests on the S Series or N Series to some NAC appliances at the back end.
With my client switch configured to send RADIUS requests to the VIP address on the S Series, 802.1x auth fails, but MAC auth is fine. The LSNAT load balancing is configured with four NAC appliances as real servers, though only one is "in service" to aid troubleshooting at the moment.
The VIP address of the load balancers are configured as load balancers in NAC manager.
With my client switch configured to send RADIUS requests direct to real IP address of the single NAC appliance the load balancer was configured to use, 802.1x and MAC auth are successful.
I've tried this using B series and D series as client switches, and tried the same LSNAT configuration on the S Series and N Series with identical results. When using the VIP address, 802.1x fails but MAC auth is fine.
NAC Manager shows the following error message when 802.1x auth fails:
“Authentication request became stale, challenge sent, no response received from client (switch 192.168.132.115/end-system).”
Wireshark proves no packets are being dropped between NAC and switch. The final challenge (before the failure) that is sent out by NAC reaches the uplink port on the switch.
It appears that the EAP-TLS communication between client PC and NAC is breaking down some how.
Has anyone has seen similar issues?
Thanks,
Mark.
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-17-2016 06:24 PM
!
configure terminal
!
ip slb real-server access unrestricted
!
ip slb serverfarm DNS
real 10.3.10.10 port 53
faildetect probe one ping
inservice
exit
real 10.3.10.11 port 53
faildetect probe one ping
inservice
exit
exit
ip slb serverfarm NAC_Pool
real 10.3.10.147 port 1812
faildetect probe one check_nac
inservice
exit
real 10.3.10.147 port 1813
faildetect probe one check_nac
inservice
exit
real 10.3.10.148 port 1812
faildetect probe one check_nac
inservice
exit
real 10.3.10.148 port 1813
faildetect probe one check_nac
inservice
exit
exit
ip slb serverfarm WindowsAuth
real 10.3.10.10 port 636
faildetect probe one ping
inservice
exit
real 10.3.10.11 port 636
faildetect probe one ping
inservice
exit
real 10.3.10.12 port 636
faildetect probe one ping
inservice
exit
exit
!
ip slb vserver vDNS
virtual 192.168.20.20 udp 53
serverfarm DNS
udp-one-shot
inservice
exit
ip slb vserver NAC_vIP
virtual 192.168.20.10 udp 1812
sticky timeout 30
serverfarm NAC_Pool
udp-one-shot
inservice
exit
ip slb vserver WindowsAuthVIP
virtual 192.168.20.30 tcp 636
sticky type sip
serverfarm WindowsAuth
udp-one-shot
inservice
exit
ip slb vserver WindowsAuthVPI
exit
!
exit
!
end
You can ignore the WindowsAuth and DNS stuff..
configure terminal
!
ip slb real-server access unrestricted
!
ip slb serverfarm DNS
real 10.3.10.10 port 53
faildetect probe one ping
inservice
exit
real 10.3.10.11 port 53
faildetect probe one ping
inservice
exit
exit
ip slb serverfarm NAC_Pool
real 10.3.10.147 port 1812
faildetect probe one check_nac
inservice
exit
real 10.3.10.147 port 1813
faildetect probe one check_nac
inservice
exit
real 10.3.10.148 port 1812
faildetect probe one check_nac
inservice
exit
real 10.3.10.148 port 1813
faildetect probe one check_nac
inservice
exit
exit
ip slb serverfarm WindowsAuth
real 10.3.10.10 port 636
faildetect probe one ping
inservice
exit
real 10.3.10.11 port 636
faildetect probe one ping
inservice
exit
real 10.3.10.12 port 636
faildetect probe one ping
inservice
exit
exit
!
ip slb vserver vDNS
virtual 192.168.20.20 udp 53
serverfarm DNS
udp-one-shot
inservice
exit
ip slb vserver NAC_vIP
virtual 192.168.20.10 udp 1812
sticky timeout 30
serverfarm NAC_Pool
udp-one-shot
inservice
exit
ip slb vserver WindowsAuthVIP
virtual 192.168.20.30 tcp 636
sticky type sip
serverfarm WindowsAuth
udp-one-shot
inservice
exit
ip slb vserver WindowsAuthVPI
exit
!
exit
!
end
You can ignore the WindowsAuth and DNS stuff..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-17-2016 05:17 PM
Can you display your LSNAT config?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-17-2016 03:22 PM
6.3.0.174 (NAC)... Client is latest version of Mac OS X..
When I move the switch back to the NAC group not using LSNAT, 802.1x auth works fine.
When I move the switch back to the NAC group not using LSNAT, 802.1x auth works fine.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-17-2016 01:50 PM
What version of NAC are you running? Also, what version of OS is on the client?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-16-2016 09:08 PM
I see the same issue. Anyone?
