Extreme Networks

Tiago_Molinos · ‎12-27-2015

Hi there,

we've been setting up a wireless lan solution with NAC + a couple of identify controllers.
At the moment we're fine tunning the guest network.

I'm running the latest NAC appliance software and version 9.21.04 on the controllers (5110 + v2110).

Right now I'm concerned with two different problems:

1 - Whenever I try to connect an Apple OSX device, it pops up an error:

If I ignore the error and go straight to the browser and open a random page then the portal appears and I can register a device. After the registration is successful I end up in problem #2.

2 - On all Apple devices, after the registration is successful the device never renews the IP address and the eventually an error in the portal is displayed. If I manually reconnect to the network than it gets the correct IP address.

Any suggestion?

Best Regards,

Tiago

Joseph_Burnswor · ‎12-28-2015

Yes! I have to do this via Firewalled interfaces lots. So if you setup the DNS redirect like this, Allow your NAC and DNS (internal DNS and only DNS) then this kicks a portal page without issue. I do it this way every time. Not all of my clients have equipment that have DSCP or PBR capabilities. So this is my resolution to that problem.

James_A · ‎12-28-2015

Oh, is this how to use the NAC portal without policy routing on DSCP? That's very useful to know as I'm about to switch to a firewall that's missing that capability. Well, I did ask about it during evaluation, but it can only do it in combination with SNAT which then wouldn't work for the NAC portal.

Tiago_Molinos · ‎12-28-2015

Hi Joseph,

I cannot understand what you mean on #1. Are you referring to Extreme's NAC appliance or a different product?

#2 DHCP changes have indeed solved the problem  Thanks for your input!

What I would like to see now is the Captive Portal (NAC) popping up in a OSX El Capitan.

Joseph_Burnswor · ‎12-28-2015

Issue #1: When I do the captive portal (Especially in an environment with apple) I use a DNS named redirect. Instead of using https://1.1.1.1/redirect I use http://GuestAccess.myco.com (you will need to make an "A" record for this). I also make sure that I allow port 53 TCP for the secured DNS hijack. This resolves the issues I have had with Apple redirects.

Issue #2: Are you using NAC to change the Policy to a different VLAN? if so, you would need to make the Unregistered VLAN DHCP lease time very short (30 - 45 seconds). This will allow the iOS Devices with sticky leases to renew without any major issues.

Please let us know if this helps. If not, also let us know so that we can further assist you 🙂

Tiago_Molinos · ‎12-28-2015

Hi Ron,

I removed apple.com as suggested. It still pops up to all Apple IOS devices (great!) but on OSX machines the popup stopped showing. If I open a browser then I'm correctly redirected and the registration can be then concluded.

I need to change the IP because of several reasons. One of them is that the guest network is actually a topology group comprised of several different balanced networks, another is that I'm also using the captive portal to do registered guest authentication (for BYOD).
Anyway your suggestion to set the DHCP lease to a low value seams to work great. I've set the lease to 45 seconds, but I think I'll tune this value in the future. I don't know how the DHCP server will handle the additional load when I go live with the solution.

I think the solution as it is right now is working as expected, except for the non-existent popup in OSX. Is it possible to have it? I added the "apple.com" again and verified that the popup returns... Can't figure out why it says "A problem occurred"...

Thanks for you answer!

BR

Tiago

Extreme Networks

Captive portal NAC + Apple Devices OSX

Captive portal NAC + Apple Devices OSX