The Extreme Networks Wireless WLAN supports integration with a NAC (Network Admission Control) Gateway. The NAC Gateway can provide your network with authentication, registration, assessment, remediation, and access control for mobile users.
NAC Gateway integration with Wireless WLAN supports SSID VNSs when used in conjunction with MAC-based external captive portal authentication.
WLAN and NAC Integration with External Captive Portal Authentication depicts the topology and workflow relationship between Wireless WLAN that is configured for external captive portal and a NAC Gateway. With this configuration, the NAC Gateway acts like a RADIUS proxy server. An alternative is to configure the NAC Gateway to perform MAC-based authentication itself, using its own database of MAC addresses and permissions. For more information, see Creating a NAC VNS Using the VNS Wizard.
1 | The client laptop connects to the AP. The AP determines that authentication is required, and sends an association request to the appliance. |
2 | The appliance forwards to the NAC Gateway an
access-request message for the client laptop, which is identified by its MAC
address. The NAC Gateway forwards the access-request to the RADIUS server. The NAC Gateway acts like a RADIUS proxy server. |
3 | The RADIUS server evaluates the access-request and sends
an AccessAccept message back to the NAC. Note RADIUS servers with captive portal and EAP authentication can be tested for connectivity using the radtest command. For more information, see the ExtremeWireless CLI Guide.The NAC receives the access-accept packet. Using its local database, the NAC determines the correct role to apply to this client laptop and updates the access-accept packet with the role assignment. The updated AccessAccept message is forwarded to the appliance and AP. |
4 | The appliance and the AP apply role against the client laptop accordingly. The appliance assigns a set of filters to the client laptop‘s session and the AP allows the client laptop access to the network. |
5 | The client laptop interacts with a DHCP (Dynamic Host Configuration Protocol) server to obtain an IP address. |
6 | Eventually the client laptop uses its web browser to
access a website.
|
7 | When the NAC determines that the client laptop is ready
for a different role assignment, it sends a ‘disconnect message‘ (RFC 3576)
to the appliance. When the appliance receives the ‘disconnect message‘ sent by the NAC, the appliance terminates the session for the client laptop. The appliance forwards the command to terminate the client laptop‘s session to the AP, which disconnects the client laptop. |