cancel
Showing results for 
Search instead for 
Did you mean: 

NAC portal for wifi-users: UserNames are not displayed in XMC>>Wirelles>>Clients

NAC portal for wifi-users: UserNames are not displayed in XMC>>Wirelles>>Clients

Ilya_Semenov
Contributor
Hello, team,

I've partially configured V2110&NAC integration. There is a webportal on NAC, where wireless users login using their AD credentials.

The main goal of this configuration was to get an ability to see AD usernames in XMC >> Wireless >> Clients.

But now I see just IPs, MACs, Device Types and nothing more for authorized clients. How can I fix it?

Also, I've experienced the following issues during authorization process:

1) When I use iPhone to connect to SSID, it gets me to the NAC's webportal, but it is displayed just about 10 seconds. If I input credentials in this time, everything is ok I get registration, if I input it more than 10 sec, iphone brings me back to SSIDs list. WTF? With Nokia Lumia 950 it works perfectly well without time limits.
2) When I use Windows 10 laptop I get "Endless registration" on NAC webportal in browser, but in spite of this, I get access to network also.

What should I do to fix it?

1) I need to have enough time to input credentials on Apples
2) I want to avoid "Endless registration" message on laptops.

Please, help!

Many thanks in advance,
Ilya

There are some logs&pics below:

1d428f72b15e4a76828f5edcb7931217_RackMultipart20180711-10720-1b1jrbt-Capture2_inline.png



It's for Endless registration from laptop:

7 REPLIES 7

Ilya_Semenov
Contributor
Hello, Ryan,

many thanks for your response. Could you please enlight me in some details?

1. Are there any ways to implement authentication using NAC where I will be see AD's UserName in XMC Wireless>Clients? What should be configured? Now I have:

f4ffd3ab55c8485883c13553176f69ac_RackMultipart20180711-23064-hkcbzz-auth_inline.jpg



and...

f4ffd3ab55c8485883c13553176f69ac_RackMultipart20180711-123287-2w16p5-NAC_conf_inline.jpg



2. I've test just my own Iphone6 with iOS 11.3. Tomorrow I'll test some other apples.

3. OK, I've set "redirect immideately" - I'll check it tomorrow too.

f4ffd3ab55c8485883c13553176f69ac_RackMultipart20180711-67656-1h6fsb-IvesettoRedirectImmediately_inline.jpg



4. I've provided debug from NAC's admin page log. I do not use freeradius. Also, I've not found how to do this:

"Enable debug for Captive portal in the debug screen and send in the tag.log

Captive Portal --> Display
Captive Portal --> Registration and Remediation"

I've this enabled:

f4ffd3ab55c8485883c13553176f69ac_RackMultipart20180711-113001-1w85fua-debug_inline.jpg



Ryan, I willingly send any part of my conf if it could clear the situation. Many thanks to you!

Ryan_Yacobucci
Extreme Employee
Hello,

1. Extreme Management Center --> wireless --> clients will provide information that was obtained from the Controller. Unless the controller has a client that is doing 802.1x, which provides the username within the authentication protocol, you will not see the username here.

The captive portal is held on the NAC appliance and this information will be seen in the Control --> End Systems tab, but the EWC does not have any knowledge that the client has been through a captive protal, does not know what credentials have been provided, so it cannot display them.

2. What version of iOS? Are all version affected?

3. As far as "Endless registration" is concerned, check the Control captive portal options and see what the redirection configurations are set to. Are they set to use the users requested URL?

The workflow should be the following:

User puts in credentials and hits register
Browser is set to send requests to the NAC waiting for a message to tell it to proceed
When the client has been registered NAC will respond with a transition.jsp script to indicate to the client that they should move on to the next page.

If the client doesn't have connectivity to NAC in the role that has been provided by registration then the client will never receive the instruction to transition.

Try setting the "redirect immediately" option in the captive portal option. This will have the client test to internet connectivity to trigger the transition rather than wait for the NAC.

4. You have provided freeRADIUS debug, we'll need different debug to see what's going on.
Enable debug for Captive portal in the debug screen and send in the tag.log

Captive Portal --> Display
Captive Portal --> Registration and Remediation

Thanks
-Ryan

StephanH
Valued Contributor III
Hello Ilya,

first of all according my experience IPhones have to reach the Gateway during DHCP, if not there are problems while getting the ipaddress. If the Gateway communicated in the DHCP offer is not present in the network the DORA process is completed but the IPhone will not use the ip address.

For your problem 2 (endless registration): Maybe this screws will help:
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-decrease-delay-between-Registration...

Best regards
Stephan

Regards Stephan
GTM-P2G8KFN