Reset Search
 

 

Article

NAC Troubleshooting Tips - Debug Methodology for Authentication Issues

« Go Back

Information

 
TitleNAC Troubleshooting Tips - Debug Methodology for Authentication Issues
Objective
To provide guidance for gathering information regarding debugging Radius authentication issues using the NAC.
 
Environment
  • Netsight NAC Manager (Java app)
  • NAC
  • Access Control
Procedure

1. Enable these NAC debugs: From NAC Manager, right Click on the NAC appliance and select Webview. OR
      https://<IPofAppliance>:8443
            Enter Web Credentials - default username is admin, default password is Extreme@pp

1a. Go to Diagnostics->Appliance/Server Diagnostics
1b. Change the following from "log4jfile override" to "Verbose" for the select items below:

      Authentication Request Processing - NAC 
      Authentication Request Processing - RADIUS 
      Reauthentication
      LDAP
      SNMP
      Rules Engine - Authentication
      Rules Engine - Authorization
      Rules Engine - Policy Mapping
      Toggle Link



1c.  Scroll down in the web page and click OK.

1d.  SSH into the NAC appliance and start a tcpdump:

tcpdump -i eth0 -s 0 -w radius.pcap port 1812 or port 3799 or port 389

See link in the "Additional Notes" section of this article for more information on tcpdumps:


2. Wait till you see (or reproduce) the issue you are reporting. Note the time of the issue, as this is very important.

3.  Reset the NAC debug levels to defaults by clicking the Reset Defaults button at bottom of  diagnostic screen in WebView.

4.  Gather the /var/log/tag.log, var/log/syslog, the /var/log/messages, and /var/log/radius/radius.log from the NAC appliance

5.  Gather the NAC database:  In NAC Manager go to File-> Database-> Backup NAC Configuration. The backup file will be on the NetSight server in the <install_dir>/NetSight/backup directory path.

6.  From OneView go to Administration, Diagnostics, Support, Generate Show Support, Start (at the top). When finished this file will also be on the NetSight server in the given path. See below link for more elaborate instructions:
     How to generate a show support from Oneview

7.  Use WinSCP or other SCP/SFTP client to download the files locally from the NAC and Netsight Servers.

8. In NAC Manager, locate the test End System and export the End System “Events “ for this device to HTML format. 

   To export the End System Events, highlight the End System under the End Systems tab then in the middle “pane” (middle of the NAC Manager screen) under the “End System Events” tab highlight any event      and right click on the event then select Table Tools, Export. ***Please export to HTML format*** 
Additional notes
Optionally, you may want to take a trace of the radius packet handshake or others. That can be done using tcpdump as discussed in this article.
NAC Troubleshooting Tips - common tcpdump commands used for isolating issue

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255