Extreme Networks

Tomasz_Lubas · ‎02-04-2020

Hello,

I observed very strange behaviour of captive portal. Client is redirected from EWC via External to NAC Captive portal and if not present in XMC then for short while he can see login on the captive portal. After couple of seconds captive portal shows only Access denied… loop.

Client gets Unregistered NAC profile with unregistered policy and this not change through this process. He still see captive but cant login to network. Proper captive is shown only once.

Logs from tag.log shows accessGranted after UNKNOWN.

I’ll be very gratefull for any ideas ?

2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalOsUtils - The user is not in the captive portal (state: ACCEPT, reason: Rule: "tes_wifi_unregistered") - not updating determined OS: "Android 9", OS Type: OS Family: Android for end system MAC: 50-01-D9-F1-58-2E, IP: 10.66.243.43 from userAgent: "Mozilla/5.0 (Linux; Android 9; MHA-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.116 Mobile Safari/537.36 OPR/55.2.2719.50740".
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 InProcessStateAndActionHandler - Mobile mismatch detected, potential mobile OS: OS Family: Android, webkit: true
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 InProcessStateAndActionHandler - Android general, redirect: false
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalConfigManager - * No override portal for: 10.66.243.43
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalConfigManager - * Skipping role lookup because there is no role for IP: 10.66.243.43
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalConfigManager - * Skipping username lookup because there is no username for IP: 10.66.243.43
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalConfigManager - Using the default web site entry for end-system session: 10.66.243.43
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalConfigManager - Found captive portal configuration using the user's language locale: pl
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalMainAction - End-System MAC: 50-01-D9-F1-58-2E, IP: 10.66.243.43 is in the accepted state with reason: Rule: "tes_wifi_unregistered" exState: NO_ERROR has been transitioned: false
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalMainAction - End-System MAC: 50-01-D9-F1-58-2E, IP: 10.66.243.43 on switch: 10.26.1.15, port: Ecru, SSID: Ecru does not qualify for web authentication or registration AND assessment is not configured, directing to: accessGranted
2020-02-03 17:14:00,942 INFO [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalMainAction - End-System MAC: 50-01-D9-F1-58-2E, IP: 10.66.243.43 has been granted access after: UNKNOWN, redirect: Redirect to User's Original URL, directing to: accessGranted
2020-02-03 17:14:02,613 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDIP:10.66.243.43 InProcessStateAndActionHandler - endSystemMacStr is null.
2020-02-03 17:14:02,613 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDIP:10.66.243.43 InProcessStateAndActionHandler - Found end-system by IP in CachedEndSystem alternate map: 10.66.243.43

Ryan_Yacobucci · ‎02-05-2020

Hello,

Yes, you are correct.

With custom rules you CAN make them eligible for captive portal as long as the profile in the “Unregistered” rule is the same as the profile in your custom rule:

85966c9b4e3944c1a5d721d4c565d742_90c0ae9f-53c3-4ca2-827b-6b17274e15e9.png

There may be problems on the portal exit though. The same issues regarding being in a system rule to be eligible for captive portal can also have impact on exit to get out of captive portal. If you aren’t in a system rule that indicates the client has been registered we’ve seen the error page show up as the NAC can’t determine if you’ve completed captive portal.

It is best recommended practice to use the advanced location based rules when dealing with multiple location based captive portals.

Tomasz, we’re probably going to need the full debug log with Captive portal debug as well as rules engine and authentication request processes NAC to dig further into it.

I think that the message:

“does not qualify for web authentication or registration”

is a good indication of the issue, I’m just not sure why.

Thanks

-Ryan

View solution in original post

Tomasz_Lubas · ‎02-05-2020

Rayan - you are the best 🙂 Some time ago i’ve tested and changed unregistered catch all rule for lan members. This rule was not used at all but yes the profile was different than captive portal rule.

Now captive portal works !

Thank you very much 🙂

regards,

Tomek

Ryan_Yacobucci · ‎02-05-2020

Hello,

Yes, you are correct.

With custom rules you CAN make them eligible for captive portal as long as the profile in the “Unregistered” rule is the same as the profile in your custom rule:

There may be problems on the portal exit though. The same issues regarding being in a system rule to be eligible for captive portal can also have impact on exit to get out of captive portal. If you aren’t in a system rule that indicates the client has been registered we’ve seen the error page show up as the NAC can’t determine if you’ve completed captive portal.

It is best recommended practice to use the advanced location based rules when dealing with multiple location based captive portals.

Tomasz, we’re probably going to need the full debug log with Captive portal debug as well as rules engine and authentication request processes NAC to dig further into it.

I think that the message:

“does not qualify for web authentication or registration”

is a good indication of the issue, I’m just not sure why.

Thanks

-Ryan

Tomasz_Lubas · ‎02-05-2020

Ronald, I’m afraid it’s not that case. I have many different implementations where for captive portal custom rules are used with no problems at all e.g:

17317b27f1044704a669252ec6553ddc_1b951ebf-8aee-42d8-a068-86c8e5fa49e2.png

Regards,

Tomek

Ronald_Dvorak · ‎02-05-2020

As far as I unterstand Ryan you must use the default unregistered system rule and not create a new one ie. tes_wifi_unregistered.

“The NAC won’t qualify an end system as eligible for registration if it has hit any custom rules. It must be assigned a profile that has been configured on a system “Unregistered” rule.”

example from my NAC

643a7c8128fa4531874bc8ef802e458f_c46f3711-61e0-40ff-ac68-320e2c4275f7.png

-Ron

Extreme Networks

NAC Captive portal loop on deny access. No login fields appear for Authenticated Web Access.

NAC Captive portal loop on deny access. No login fields appear for Authenticated Web Access.