cancel
Showing results for 
Search instead for 
Did you mean: 

Wireless client registering to NAC and flipping VLAN is slow to get new IP address causing delay in registration process

Wireless client registering to NAC and flipping VLAN is slow to get new IP address causing delay in registration process

Lane_Messer
New Contributor II

Hello! 

We are using Extreme Management Center 8.4, V2110 Medium 10.41, Extreme Networks Access Control Engine 8.4, and VMWare 6.5. 

 

For whatever reason, when a client connects to the captive portal and signs in correctly. It will stay there for 5 or 10 minutes unless we force authentication on Management Center. Of course, they get in the quarantine vlan which is 172.x.x.x, but once forced, they get into the correct vlan 10.x.x.x. 


Not really sure what’s going on. I can’t follow the last solution in the article that includes the same title, because I cannot find that in Management Center.

1 ACCEPTED SOLUTION

Lane_Messer
New Contributor II

Hello, thank you so much for your help. However, the java error that was posted is an issue in version 8.4 of Extreme Networks Access Control. 

 

[com.enterasys.tesNb.server.snmp.reauthentication.DisconnectMessageReauthenticationWorker] (Reauthentication Service Thread19:) Unable to update the authorization level for MAC: 00-1E-4C-9A-CB-47, IP: 172.16.222.64 because of exception:java.lang.NullPointerException 

 

The cause of the issue is due to changing re-authentication on the Access Controller. 

The unofficial workaround is to enforce using Java NAC Manager. However, that doesn’t fix the issue. 


Upgrading both Extreme Networks Management Center and Extreme Networks Access Control to 8.5 corrected the issue entirely. 

View solution in original post

15 REPLIES 15

Lane_Messer
New Contributor II

Hello, thank you so much for your help. However, the java error that was posted is an issue in version 8.4 of Extreme Networks Access Control. 

 

[com.enterasys.tesNb.server.snmp.reauthentication.DisconnectMessageReauthenticationWorker] (Reauthentication Service Thread19:) Unable to update the authorization level for MAC: 00-1E-4C-9A-CB-47, IP: 172.16.222.64 because of exception:java.lang.NullPointerException 

 

The cause of the issue is due to changing re-authentication on the Access Controller. 

The unofficial workaround is to enforce using Java NAC Manager. However, that doesn’t fix the issue. 


Upgrading both Extreme Networks Management Center and Extreme Networks Access Control to 8.5 corrected the issue entirely. 

Ovais_Qayyum
Extreme Employee

Hi Lane, 

This looks like a CoA problem.

In this case, the symptom you would see are:

1- Client connects to the Captive Portal, CP appears just fine and the user can complete the registration.

2-  The CP page stays on “you have been successfully granted network access” and right after that the device gets disconnected (it may or may not get disconnected).

3- On the NAC you see the client device with the correct policy role after successful registration e.g. Guest Access role. 

4-  Client device never gets an IP from Guest Access Vlan.

5- If you manually disconnect the client device and reconnect it, it connects just fine and acquires an IP address too. It's because CoA is not working and when you manually disassociate a client and reassociate it back, it kinda mimics the CoA process but in a manual fashion. 

Things you check and possible fixes:

1- Verify if the time is correct on both controller and the NAC, the recent DST change over last weekend could have changed time by an hour. A time difference of five minutes or more will cause the CoA packets to be discarded by the controllers silently. 

2- If the time is correct, look for DAS (Dynamic Authorization) related error messages in the controller log. You may see something like “Dynamic Authorization Service Decoding failed”.

3- You can run a TCPDUMP on the NAC to see if it’s getting anything back from the controller in response to CoA request packet. If no CoA ACK packets are seen from the controller end, this would confirm that DAS is busted which in turn will cause CoA to stop working. Use the following article to run TCPDUMP, you can analyze the pcap file in Wireshark. 

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-common-tcpdump-co...

 

3- Create a new AAA policy and assign it to the controller, delete the old one. 

 

Let me know if that helps, otherwise we will try some other stuff. 

Regards,

Ovais

Lane_Messer
New Contributor II

I am receiving this error on the NAC when attempting to re-authenticate. 

 

[com.enterasys.tesNb.server.snmp.reauthentication.DisconnectMessageReauthenticationWorker] (Reauthentication Service Thread19:) Unable to update the authorization level for MAC: 00-1E-4C-9A-CB-47, IP: 172.16.222.64 because of exception:java.lang.NullPointerException

Lane_Messer
New Contributor II

Well, everything was working fine last week. 
 

We did just go through a time change, but I’m not sure that matters. 

Basically, now users can login on the captive portal, but I have to go into the V2110, find the AP they’re on, and click dissociate before they can successfully connect. It will tell them they are granted network access, but the page will never refresh and the client will not connect.  

GTM-P2G8KFN