Reset Search



NAC Troubleshooting Tips - Debug Methodology for Authentication Issues

« Go Back


TitleNAC Troubleshooting Tips - Debug Methodology for Authentication Issues
To provide guidance for gathering information regarding debugging authentication issues using the NAC or Extreme Access Control
  • Netsight NAC Manager (Java app)
  • NAC
  • Access Control
  • EAC
  • Webview

1. Enable these NAC debugs: From NAC Manager, right Click on the NAC appliance and select Webview. OR
            Enter Web Credentials - default username is admin, default password is Extreme@pp

1a. Go to Diagnostics->Appliance/Server Diagnostics
1b. Change the following from "log4jfile override" to "Verbose" for the select items below:

      *Authentication Request Processing - EAC             
      Authentication Request Processing - RADIUS 
      Rules Engine - Criteria
      Rules Engine - Authentication
      Rules Engine - Authorization

(*Note that the legacy name for "Authentication Request Processing - EAC" is "Authentication Request Processing - NAC") 

1c.  Scroll down in the web page and click OK.

1d.  SSH into the NAC appliance and start a tcpdump:

tcpdump -i eth0 -s 0 -w radius.pcap port 1812 or port 1813 or port 3799 or port 389 or port 636

See link in the "Additional Notes" section of this article for more information on tcpdumps:

2. Wait till you see (or reproduce) the issue you are reporting. Note the time of the issue, as this is very important.

3.  Reset the NAC debug levels to defaults by clicking the Reset Defaults button at bottom of  diagnostic screen in WebView.  Stop the tcpdump using "ctrl-c".

4.  Gather the /var/log/tag.log, and /var/log/radius/radius.log from the NAC appliance as well as the pcap from the tcpdump in step 1d. (if including show support past version 8.x will include these files)

5.  Gather the NAC database:  In NAC Manager go to File-> Database-> Backup NAC Configuration. The backup file will be on the NetSight server in the <install_dir>/NetSight/backup directory path. For XMC database download, see How To Backup or Restore NAC / Control Database from Extreme Management Center (XMC)

6.  From OneView go to Administration, Diagnostics, Support, Generate Show Support, Start (at the top). When finished this file will also be on the NetSight server in the given path. See below link for more elaborate instructions:
     How to generate a show support from Oneview

7.  Use WinSCP or other SCP/SFTP client to download the files locally from the NAC and Netsight Servers.

8. In NAC Manager, locate the test End System and export the End System “Events “ for this device to HTML format. 

   To export the End System Events, highlight the End System under the End Systems tab then in the middle “pane” (middle of the NAC Manager screen) under the “End System Events” tab highlight any event      and right click on the event then select Table Tools, Export. ***Please export to HTML format*** 
also see Exporting a client End System Events in Extreme Management Center Control in 8.4
Additional notes
Optionally, you may want to take a trace of the radius packet handshake or others. That can be done using tcpdump as discussed in this article.
NAC Troubleshooting Tips - common tcpdump commands used for isolating issue



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255