cancel
Showing results for 
Search instead for 
Did you mean: 

CoA XCC / Extreme Control on VLAN / IP Change

CoA XCC / Extreme Control on VLAN / IP Change

Anonymous
Not applicable
Hi,

Have a setup which is using Guest Registration External Captive portal to ExtremeControl, with text based verification via XCC.

What happens is the client registers through the captive portal, which the process completes without issue, but the client
never moves to the authenticated role.

In this case the client was asked to disconnect and reconnect, but took a forced disassociate from XCC to get the client to re-auth and get the correct role / VLAN / subnet (172.16.x.x) in order to connect. This issue seems to be more related to the desktop / laptop rather then when using a phone.

So the transition of registering isn't as fluid as might be expected

I believe COA is enabled by default, but in this situation it might need to be turned off based on the is article due to the VLAN change?

How To: How to enable CoA (Change of Authorization) on a Access Control/NAC appliance for Extreme Wi...

Here is a screenshot of the Control config:

03311162098d4da58090258d577ff3ab.png
Not sure what sysObjectId would be used, but this is what is set for the Extreme IdnetiFi Wireless:

6898fd3d596948c5bdc36af090869046.png
So my question is should it be disabled (if that is the answer), and / or what might be configured to assist a smoother on-boarding?

Admittingly XMC / Control needs upgrading as on version 8.3.2.11
XCC is on version 05.46.03.0016

It is possible an XMC / NAC upgrade is the answer to fully support the XCC, but wondered if the answer was in fully understanding the mechanics and thereby a solution could be found in config.

Many thanks in advance
1 ACCEPTED SOLUTION

Miguel-Angel_RO
Valued Contributor II
Hi Martin,

I have this in the RADIUS Attribute configuration:
  • Filter-Id=%POLICY_NAME%
  • Filter-Id=Enterasys:version=1:%MANAGEMENT%policy=%POLICY_NAME%
  • Login-LAT-Port=%LOGIN_LAT_PORT%
  • Service-Type=%MGMT_SERV_TYPE%

For the SysObjectId, go to the device in the configure menu.
You have a vendor profile tab with the OID
151ad6086db94db795274ba194252ba1.png

Here my CoA settings:
9212634a55ac4e45a8a24afc60f609c3.png
Regards,

Mig

View solution in original post

4 REPLIES 4

Anonymous
Not applicable
Thanks guys for the information, really helped in sorting the issue.

The issue was that the XCC was showing a OID in the vendor profile where there was no matching OID in the ReAuthentication in ExtremeControl.

Once I added it, it all started working.

My suspicions are that had XMC / Control been running on newer firmware there wouldn't have been a problem.

Was satisfying to get it going nonetheless.

Ryan, actually hit another issue after this was working, so one of your other posts come in handy too:

Wireless Client Disconnects After Captive Portal Registration

​Thanks again

Ryan_Yacobucci
Extreme Employee
Hey  Martin,

Check Alarms & Events --> Events --> Types of Events to "Nac" and "Access Control Engine"

Do you see reauthentication failed message after registration?

Most often the failure of RFC 3576/5176 is due to a time drift between NAC/XCC. If the event timestamp is more than 300 seconds from the system time XCC will not process the request.

https://extremeportal.force.com/ExtrArticleDetail?an=000077602

Thanks
-Ryan

Anonymous
Not applicable
Thanks Mig. Let me give this a go and report back if it helped.

Cheers,

Martin

Miguel-Angel_RO
Valued Contributor II
Hi Martin,

I have this in the RADIUS Attribute configuration:
  • Filter-Id=%POLICY_NAME%
  • Filter-Id=Enterasys:version=1:%MANAGEMENT%policy=%POLICY_NAME%
  • Login-LAT-Port=%LOGIN_LAT_PORT%
  • Service-Type=%MGMT_SERV_TYPE%

For the SysObjectId, go to the device in the configure menu.
You have a vendor profile tab with the OID
151ad6086db94db795274ba194252ba1.png

Here my CoA settings:
9212634a55ac4e45a8a24afc60f609c3.png
Regards,

Mig
GTM-P2G8KFN