Greeting Guys,
Sorry about the long post, but I've tried to get as many information as I could...
I'm testing in lab the latest releases of NMS & NAC and IdentiFi, but I'm getting some issues...
The NAC Manager help tells us to config manually RADIUS Accounting on IdentiFi...
Doing some tests, I found that if I set on the NAC Manager Switches tab the IdentiFi Controller to use "Radius Accounting -> Enabled" NAC enforces the config without errors, but when using "Verify RADIUS Configuration" it shows a message like "Switch does not support ETS RADIUS Accounting MIBs.".
Setting, on NAC Manager's Switch Config, "Radius Accounting" to "Disable" make the "Verify RADIUS Configuration" to pass without any errors.
Looking the the IdentiFi, at the Global Authentication Settings, it shows the NAC Appliance as the only RADIUS, but Accounting Priority as "-".
Opening the Server Details, the Accounting Priority is set to "0" (Radius Accounting is enabled on the "Advanced" button below).
Taking a look at WLAN Service Auth & Acct, as the priority of the Accounting is set to 0 and RADIUS is set to "Strict Mode", the Acct box is unset and not editable.
If I set the Accounting priority on Global Authentication tab to "1" and saving config, it works as expected (Acct checkbox on WLAN Auth&Acct is marked and everything goes ok).
Now the problem arises... After making these adjustments to the IdentiFI config, on a new Enforce from NAC Manager (with "Force Reconfiguration of All Switches" checkbox set), no error messages presented, BUT Authentication on IdentiFi stop working...
Checking the NAC Manager "Verify RADIUS Configuration" it shows the following message: 'RADIUS Authentication should be enabled. Primary RADIUS should be "10.100.0.251" insted of "" '
Looking at the IdentiFi Global Auth config, now it shows the NAC as a RADIUS again, BUT with the Authentication Priority as "-". Taking a deeper look at the Server Details, now the Authentication Priority is set to "0" (and on the WLAN Auth&Acct, only the Acct checkbox is selected), looking like the Auth is Disabled.
The only way to make the Auth work again is to manually set the Authentication Priority to "1" on Global Auth Config. Now everything got back to work as expected.
After doing this, the NAC Manager "Verify RADIUS Configuration" passes without any warnings of changes on NAC Config.
But, If I run a new Enforce (with Reconfig All Switches set) on NAC Manager, the Authentication Priority comes back to "0" and everything stops authenticating on IdentiFi.
After this, going a little further, if I manually set Authentication Priority to "1" and Accounting Priority to "0" and run a new Enforce (with Reconfig All Switches) on NAC Manager, everything works fine, but RADIUS Accounting for NAC Appliance on IdentiFi is disabled. The same effect is reached when, instead of editing the Priorities values, I delete the RADIUS on IdentiFi and run a new Enforce on NAC Manager.
I have customers that have (or are planning) to deploy IdentiFi + NAC and want to use Radius Auth and Acct, but this issue could be a real problem on a live environment.
Is this a bug or I'm missing something?
Best regards,
-Leo
Sorry about the long post, but I've tried to get as many information as I could...
I'm testing in lab the latest releases of NMS & NAC and IdentiFi, but I'm getting some issues...
The NAC Manager help tells us to config manually RADIUS Accounting on IdentiFi...
Doing some tests, I found that if I set on the NAC Manager Switches tab the IdentiFi Controller to use "Radius Accounting -> Enabled" NAC enforces the config without errors, but when using "Verify RADIUS Configuration" it shows a message like "Switch does not support ETS RADIUS Accounting MIBs.".
Setting, on NAC Manager's Switch Config, "Radius Accounting" to "Disable" make the "Verify RADIUS Configuration" to pass without any errors.
Looking the the IdentiFi, at the Global Authentication Settings, it shows the NAC Appliance as the only RADIUS, but Accounting Priority as "-".
Opening the Server Details, the Accounting Priority is set to "0" (Radius Accounting is enabled on the "Advanced" button below).
Taking a look at WLAN Service Auth & Acct, as the priority of the Accounting is set to 0 and RADIUS is set to "Strict Mode", the Acct box is unset and not editable.
If I set the Accounting priority on Global Authentication tab to "1" and saving config, it works as expected (Acct checkbox on WLAN Auth&Acct is marked and everything goes ok).
Now the problem arises... After making these adjustments to the IdentiFI config, on a new Enforce from NAC Manager (with "Force Reconfiguration of All Switches" checkbox set), no error messages presented, BUT Authentication on IdentiFi stop working...
Checking the NAC Manager "Verify RADIUS Configuration" it shows the following message: 'RADIUS Authentication should be enabled. Primary RADIUS should be "10.100.0.251" insted of "" '
Looking at the IdentiFi Global Auth config, now it shows the NAC as a RADIUS again, BUT with the Authentication Priority as "-". Taking a deeper look at the Server Details, now the Authentication Priority is set to "0" (and on the WLAN Auth&Acct, only the Acct checkbox is selected), looking like the Auth is Disabled.
The only way to make the Auth work again is to manually set the Authentication Priority to "1" on Global Auth Config. Now everything got back to work as expected.
After doing this, the NAC Manager "Verify RADIUS Configuration" passes without any warnings of changes on NAC Config.
But, If I run a new Enforce (with Reconfig All Switches set) on NAC Manager, the Authentication Priority comes back to "0" and everything stops authenticating on IdentiFi.
After this, going a little further, if I manually set Authentication Priority to "1" and Accounting Priority to "0" and run a new Enforce (with Reconfig All Switches) on NAC Manager, everything works fine, but RADIUS Accounting for NAC Appliance on IdentiFi is disabled. The same effect is reached when, instead of editing the Priorities values, I delete the RADIUS on IdentiFi and run a new Enforce on NAC Manager.
I have customers that have (or are planning) to deploy IdentiFi + NAC and want to use Radius Auth and Acct, but this issue could be a real problem on a live environment.
Is this a bug or I'm missing something?
Best regards,
-Leo
