Reset Search
 

 

Article

Wireless Client in captive portal loop using NAC captive portal

« Go Back

Information

 
TitleWireless Client in captive portal loop using NAC captive portal
Symptoms
  • Wireless client connects to SSID configured for NAC captive portal, completes registration, and is redirected back to the registration page, or sees a remediation page. 
  • NAC Manager Events tab shows "Modified end system group" message for the end system that has completed registration 
  • NAC Appliance Events tab shows "Reauthentication Completed" 
  • NAC end systems shows that the client has received an authorization policy that doesn't exist on the authenticating wireless controller.
Environment
  • NetSight Suite
  • NetSight NAC - All Versions
  • Extreme Identifi Wireless Controller Version 9.x
  • NAC authenticated registration portal configured
  • Third party Wireless Controllers supporting CoA
Cause
The authorization policy that the NAC rules engine has determined to use after registration has completed does not exist on the wireless controller. If the authorization policy that NAC sends back to the wireless controller does not exist as a configured role on the Identifi Wireless Controller the controller will use the Default Non-Authenticated Policy configured in the VNS for the client. In this case the Default Non-Authenticated Policy was "Unregistered", which triggers the re-direction mechanism, causing the registered client to be redirected back to the NAC for captive portal.
Resolution
  1. Reference NAC rules engine to verify the client is hitting the role that was configured for it's use. 
  • Client was falling through the rule designed to allow staff access based on LDAP end system mapping because user did not belong to correct staff memberOf group.
  • Added username to correct memberOf active directory groups, and ran client through registration process. 

     2. If NAC rules engine is verified to be hitting the correct rule and assigning the correct authorization policy, create this policy on the Identifi Wireless Controller

  • Login to the Identifi Wireless Controller
  • Configure role that has the same name as the authorization policy used in NAC manager, keeping in mind the role is case sensitive.
  • Re-run the test client through registration. 
     3. Reauthentication Tab for the non-Extreme device MIB is not correct. See How to enable CoA (Change of Authorization), but may need to select a different OID to do so.
  • Right Click on the NAC->Select Webview->Status->Switches and Routers->
  • Check Switch Dynamic Information ->SysObjectID This OID may need to be added/or replace the OID of the device currently added into the re-authentication tab in NAC Manager
Additional notes
This symptom  can be seen if the time on the wireless controller and the NAC/Control appliance is not ~ 5 minutes of each other. See NAC End Systems Hung in Captive Portal

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255