Extreme Networks

Lane_Messer · ‎11-04-2020

Hello!

We are using Extreme Management Center 8.4, V2110 Medium 10.41, Extreme Networks Access Control Engine 8.4, and VMWare 6.5.

For whatever reason, when a client connects to the captive portal and signs in correctly. It will stay there for 5 or 10 minutes unless we force authentication on Management Center. Of course, they get in the quarantine vlan which is 172.x.x.x, but once forced, they get into the correct vlan 10.x.x.x.

Not really sure what’s going on. I can’t follow the last solution in the article that includes the same title, because I cannot find that in Management Center.

Lane_Messer · ‎11-09-2020

Hello, thank you so much for your help. However, the java error that was posted is an issue in version 8.4 of Extreme Networks Access Control.

[com.enterasys.tesNb.server.snmp.reauthentication.DisconnectMessageReauthenticationWorker] (Reauthentication Service Thread19:) Unable to update the authorization level for MAC: 00-1E-4C-9A-CB-47, IP: 172.16.222.64 because of exception:java.lang.NullPointerException

The cause of the issue is due to changing re-authentication on the Access Controller.

The unofficial workaround is to enforce using Java NAC Manager. However, that doesn’t fix the issue.

Upgrading both Extreme Networks Management Center and Extreme Networks Access Control to 8.5 corrected the issue entirely.

View solution in original post

Lane_Messer · ‎11-04-2020

@StephanH

172.x.x.x is the quarantine vlan.

10.x.x.x is our internet vlan

Devices that are in unregistered get redirected to our captive portal at 10.33.x.x, which is the IP of the NAC.

Once they login, they sit there in the quarantine vlan for a few minutes unless I disassociate their device on the V2110 or force reauthentication and scan on Management Center.

StephanH · ‎11-04-2020

Hello Lane,

to be sure:

172.x.x.x is the ip from the network where you redirected to the portal page

10.x.x.x is the ip network where you are should be connected if you are signed in and authenticated.

If this is correct and you still remain in the 172.x.x.x network although your can see the policy your client receive (check controller client reports for that). I assume you leastime is to long.

Your client will not be informed after the network change that it has to change the IP. This is normal!
You have to set the leasetime in network 172.x.x.x very short. E.g. 30 seconds to make the client change the IP faster, You can play with the leasetime to find out the best timerange for your needs.

Regards Stephan

Lane_Messer · ‎11-04-2020

Sorry for replying to your response in-full.

However, even disabled, it still takes the client forever to switch over to the VLAN with internet. Around 2 minutes and it will eventually switch. Despite showing that network access was granted, the client still has a 172.x.x.x address.

StephanH · ‎11-04-2020

Hello,

step 2 (Disable Change of Authorization on NAC ) is no a controller but a NAC setting.

19635bdfea0a49ca9169bea8db1b4e7b_7a513715-e64a-467f-a640-8bbe994ba1c8.png

Regards Stephan

Lane_Messer · ‎11-04-2020

Yes I am, but unfortunately cannot find anything on our controller that’s close to step 2. Not sure where to go from here.

Extreme Networks

Wireless client registering to NAC and flipping VLAN is slow to get new IP address causing delay in registration process

Wireless client registering to NAC and flipping VLAN is slow to get new IP address causing delay in registration process