NAC Integration with the Wireless WLAN

The Extreme Networks Wireless WLAN supports integration with a NAC (Network Admission Control) Gateway. The NAC Gateway can provide your network with authentication, registration, assessment, remediation, and access control for mobile users.

NAC Gateway integration with Wireless WLAN supports SSID VNSs when used in conjunction with MAC-based external captive portal authentication.

WLAN and NAC Integration with External Captive Portal Authentication depicts the topology and workflow relationship between Wireless WLAN that is configured for external captive portal and a NAC Gateway. With this configuration, the NAC Gateway acts like a RADIUS proxy server. An alternative is to configure the NAC Gateway to perform MAC-based authentication itself, using its own database of MAC addresses and permissions. For more information, see Creating a NAC VNS Using the VNS Wizard.

Click to expand in new window
WLAN and NAC Integration with External Captive Portal Authentication
Graphics/NAC_integration.png
1 The client laptop connects to the AP.

The AP determines that authentication is required, and sends an association request to the appliance.

2 The appliance forwards to the NAC Gateway an access-request message for the client laptop, which is identified by its MAC address.

The NAC Gateway forwards the access-request to the RADIUS server. The NAC Gateway acts like a RADIUS proxy server.

3 The RADIUS server evaluates the access-request and sends an Access­Accept message back to the NAC.
Note

Note

RADIUS servers with captive portal and EAP authentication can be tested for connectivity using the radtest command. For more information, see the ExtremeWireless CLI Guide.

The NAC receives the access-accept packet. Using its local database, the NAC determines the correct role to apply to this client laptop and updates the access-accept packet with the role assignment. The updated Access­Accept message is forwarded to the appliance and AP.

4 The appliance and the AP apply role against the client laptop accordingly. The appliance assigns a set of filters to the client laptop‘s session and the AP allows the client laptop access to the network.
5 The client laptop interacts with a DHCP (Dynamic Host Configuration Protocol) server to obtain an IP address.
6 Eventually the client laptop uses its web browser to access a website.
  • The appliance determines that the target website is blocked and that the client laptop still requires authentication.
  • The appliance sends an HTTP redirect to the client laptop‘s browser. The redirect sends the browser to the web server on the NAC Gateway.
  • The NAC displays an appropriate web page in the client laptop‘s browser. The contents of the page depend on the current role assignment (enterprise, remediation, assessing, quarantine, or unregistered) for the MAC address.
7 When the NAC determines that the client laptop is ready for a different role assignment, it sends a ‘disconnect message‘ (RFC 3576) to the appliance.

When the appliance receives the ‘disconnect message‘ sent by the NAC, the appliance terminates the session for the client laptop.

The appliance forwards the command to terminate the client laptop‘s session to the AP, which disconnects the client laptop.