Extreme Networks

Tomasz_Lubas · ‎02-04-2020

Hello,

I observed very strange behaviour of captive portal. Client is redirected from EWC via External to NAC Captive portal and if not present in XMC then for short while he can see login on the captive portal. After couple of seconds captive portal shows only Access denied… loop.

Client gets Unregistered NAC profile with unregistered policy and this not change through this process. He still see captive but cant login to network. Proper captive is shown only once.

Logs from tag.log shows accessGranted after UNKNOWN.

I’ll be very gratefull for any ideas ?

2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalOsUtils - The user is not in the captive portal (state: ACCEPT, reason: Rule: "tes_wifi_unregistered") - not updating determined OS: "Android 9", OS Type: OS Family: Android for end system MAC: 50-01-D9-F1-58-2E, IP: 10.66.243.43 from userAgent: "Mozilla/5.0 (Linux; Android 9; MHA-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.116 Mobile Safari/537.36 OPR/55.2.2719.50740".
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 InProcessStateAndActionHandler - Mobile mismatch detected, potential mobile OS: OS Family: Android, webkit: true
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 InProcessStateAndActionHandler - Android general, redirect: false
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalConfigManager - * No override portal for: 10.66.243.43
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalConfigManager - * Skipping role lookup because there is no role for IP: 10.66.243.43
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalConfigManager - * Skipping username lookup because there is no username for IP: 10.66.243.43
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalConfigManager - Using the default web site entry for end-system session: 10.66.243.43
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalConfigManager - Found captive portal configuration using the user's language locale: pl
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalMainAction - End-System MAC: 50-01-D9-F1-58-2E, IP: 10.66.243.43 is in the accepted state with reason: Rule: "tes_wifi_unregistered" exState: NO_ERROR has been transitioned: false
2020-02-03 17:14:00,942 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalMainAction - End-System MAC: 50-01-D9-F1-58-2E, IP: 10.66.243.43 on switch: 10.26.1.15, port: Ecru, SSID: Ecru does not qualify for web authentication or registration AND assessment is not configured, directing to: accessGranted
2020-02-03 17:14:00,942 INFO [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalMainAction - End-System MAC: 50-01-D9-F1-58-2E, IP: 10.66.243.43 has been granted access after: UNKNOWN, redirect: Redirect to User's Original URL, directing to: accessGranted
2020-02-03 17:14:02,613 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDIP:10.66.243.43 InProcessStateAndActionHandler - endSystemMacStr is null.
2020-02-03 17:14:02,613 DEBUG [com.enterasys.tesNb.server.util.ESD] (http-10.66.242.7-443-17:) ESDIP:10.66.243.43 InProcessStateAndActionHandler - Found end-system by IP in CachedEndSystem alternate map: 10.66.243.43

Ryan_Yacobucci · ‎02-05-2020

Hello,

Yes, you are correct.

With custom rules you CAN make them eligible for captive portal as long as the profile in the “Unregistered” rule is the same as the profile in your custom rule:

85966c9b4e3944c1a5d721d4c565d742_90c0ae9f-53c3-4ca2-827b-6b17274e15e9.png

There may be problems on the portal exit though. The same issues regarding being in a system rule to be eligible for captive portal can also have impact on exit to get out of captive portal. If you aren’t in a system rule that indicates the client has been registered we’ve seen the error page show up as the NAC can’t determine if you’ve completed captive portal.

It is best recommended practice to use the advanced location based rules when dealing with multiple location based captive portals.

Tomasz, we’re probably going to need the full debug log with Captive portal debug as well as rules engine and authentication request processes NAC to dig further into it.

I think that the message:

“does not qualify for web authentication or registration”

is a good indication of the issue, I’m just not sure why.

Thanks

-Ryan

View solution in original post

Tomasz_Lubas · ‎02-05-2020

Hi Ryan, thank you for your reply.

client got Unregistered NAC profile and Unregistered policy assigned:

cb345a6ae12b4713a6ba9ad141859a9a_11b9fc62-40e9-4903-93cb-80e7c0b1fa69.png

cb345a6ae12b4713a6ba9ad141859a9a_908408f5-ee41-4af2-8396-489036c9d6d2.png

The end-system is 50-01-D9-F1-58-2E for sure the same has problem with captive portal.

I can try advanced location but don’t know how it could help.

regards,

Tomek

Ryan_Yacobucci · ‎02-04-2020

Hello Tomasz,

From the log provided I would guess one of two things may be happening:

The profile that the NAC identified being assigned to the end system is not assigned to any of the “Unregistered” rules.

ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalMainAction - End-System MAC: 50-01-D9-F1-58-2E, IP: 10.66.243.43 on switch: 10.26.1.15, port: Ecru, SSID: Ecru does not qualify for web authentication or registration AND assessment is not configured, directing to: accessGranted

The NAC won’t qualify an end system as eligible for registration if it has hit any custom rules. It must be assigned a profile that has been configured on a system “Unregistered” rule.

This log message:

ESDMAC:F1-58-2E,ESDIP:10.66.243.43 NacCaptivePortalMainAction - End-System MAC: 50-01-D9-F1-58-2E, IP: 10.66.243.43 is in the accepted state with reason: Rule: "tes_wifi_unregistered" exState: NO_ERROR has been transitioned: false

Indicates we hit a “tes_wifi_unregistered” rule, and this is not a system rule.

I would say the advanced location based access feature might be a good way to fix this. In NAC Manager go tools → management and configuration → Advanced Configuratio

Use the “add feature” button to configure “Advanced location based access”. This will deploy a new set of system rules for registration from a location. I would guess you’re trying to do that with the custom rule.

The key here is that an end system MUST be seen in the same profile that exists in the “Unregistered” system rule. If you can modify you rules so that the “Unregistered” rule’s profile can work in both rules than that should also fix the issue.
The NAC incorrectly identified the end system. Make sure 50-01-D9-F1-58-2E is really the end system you’re testing with.

Thanks
Ryan

Extreme Networks

NAC Captive portal loop on deny access. No login fields appear for Authenticated Web Access.

NAC Captive portal loop on deny access. No login fields appear for Authenticated Web Access.