This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NAC AAA rule assentment .

NAC AAA rule assentment .

Frank11
New Contributor

‎05-31-2016 02:17 AM

NAC 6.3.0.168, Wireless V2110 9.21.09.0004
I have a strange issue with devices not using the right AAA rule in the NAC even though when checking the device via the NAC evaluation tool tells me it should be using the right rule.

The NAC is setup for proxy Radius to a windows NPS server. When I run the NAC evaluation tool I get the correct information below with the correct rule "BYOD-test" passed.

f9b222598dd94c1bb00290714c7aaa31_RackMultipart20160531-125329-2alla9-BYOD-Rule_inline.jpg


BUT looking at the NAC end-systems data for that device it goes to the end "catch-all" rule, not the rule the evaluation tool displays.

f9b222598dd94c1bb00290714c7aaa31_RackMultipart20160531-79076-nrg4wl-BYOD-Rule1_inline.jpg



Any idea's where to look or are there other tools I can use for testing?
0 Kudos
7 REPLIES 7

Frank11
New Contributor

‎06-01-2016 03:05 AM

Just a update. Problem found and fixed.

Like to thank everyone for showing me the way to looking at the extended logs. I did not know they existed. From the logs I found the BYOD rule was skipped by the NAC when it was processing the rule order. From this I assumed I did run "Enforce all" on the NAC when I first created the rule but it seems I did not. Enforced the rule and now working as intended.
0 Kudos

TylerMarcotte
Extreme Employee

‎05-31-2016 10:38 AM

If you show the End System Group that you're keying off of and the User Group that would help with troubleshooting. Otherwise, like Zdenek said, you can get seem more diagnostics from the NAC appliance itself.
0 Kudos

Jeremy_Gibbs
Contributor

‎05-31-2016 03:40 AM

Yes, you need more logging. What is NAC seeing in the RADIUS packet? Is it sending all the info you expect? What does it look like from a NAC perspective (if you search for the end system and view its "status" ?
0 Kudos

Zdeněk_Pala
Extreme Employee

‎05-31-2016 03:28 AM

Https:/:nac-gw:8444 there you should have diagnostics tools and log. The username and password is configured in your nacmanager
Regards Zdeněk Pala
0 Kudos
GTM-P2G8KFN