11-18-2015 12:57 PM
Hope you are all well.
One of my clients has an issue with registering newer MAC devices via his NAC product.
They do not use Aruba Clearpass they use Bradford network sentry as their NAC product. The issue they have is that newer versions of MAC i.e Yosemite & El Capitan are not connecting back to the SSID. Here is what happens:
- Device connects to their pre-shared key SSID, which is managed by Bradford NAC product
- They get the registration page and they input their username and password
- Device then registers and scans using the page and passes.
- Gets the page where it says your connection is being reconfigured
- Bradford Network Sentry product logs in to the controller and Blacklist the devices for 15 secs
- It then re-logs in and un-blacklist the devices from the Aruba controller.
It is at this point that versions of El Capitan or Yosemite do not play ball, their network connection just times out in registeration and they do not automatically get switched to remediation or production.
If you leave the device it just assigns itself a self signed address so for the user to actually get an IP address in production or remediation they have to turn their WiFi off for 15 secs and they then get an IP address.
The above same process that I have listed works for older MACs and Windows and has done for years.
Here is what we see from Bradford NAC product:
2015/11/13 16:18:33.046 RadiusPollThread2 RadiusServer accepting client 3c:15:c2:d6:41:e0 for device 10.1.1.100 and policy registration ptime=0:1:4:4:4:15
2015/11/13 16:19:51.212 RadiusPollThread2 RadiusServer accepting client 3c:15:c2:d6:41:e0 for device 10.1.1.100 and policy registration ptime=0:1:7:7:7:17
Successful Registration of device, Test 172.16.4.49 3C:15:C2:D6:41:E0
We see in Bradford network sentry logs that there is no radius request coming in after registration so there is no assignment via radius. The assignment only comes when you have disconnected and reconnected the device.
This is proves that it is more of a client connectivity problem than a NAC problem. I have tried to run debug on a device, but the debug does not show any information please see:
Facility Level Debug Value Sub Category Process
-------- ----- ----------- ------------ -------
user-debug debugging 3c:15:2c:d6:41:e0 N/A N/A
#show log all | include 3c:15:2c:d6:41:e0
Has anybody else had these problems with debugging or connecting via other NAC products?
If anyone has any other ideas that would be very helpful