NAC Manager and Extreme Access Control Troubleshooting

---

The following sections provide information on tools used when troubleshooting NAC Manager and Extreme Access Control engine issues.

• NAC Manager Event Logging
• Extreme Access Control Engine Real-time Status
• End-System Troubleshooting

NAC Manager Event Logging

The Event View at the bottom of the NAC Manager main window displays error and informational messages about NAC Manager operations and provides information on end-systems attempting to connect to the network through an Access Control engine.

NAC Manager Event View

There are four tabs:

• NAC Manager Events – This tab displays error and informational messages about NAC Manager system operations, including configuration changes and enforce operations.
  
  Use this tab when trying to locate forensic information such as when and who made changes to the Access Control configuration, and when and for how long communication with an Access Control engine was lost. This event log also captures NAC Manager functional and security-related warnings that the system issues when auditing its own configuration, as well as events tied to data persistence checks, including which end-systems were removed and when.
  
  Important system notification messages are also logged here, including when new agent-less assessment updates are available and when certain system default credentials should be changed.
• End-Systems Activity – This tab provides information on all the end-systems that have attempted to connect to the network. It displays all end-system activity since the client was launched.
• NAC Appliance Events – This tab provides information on Access Control engine system events including RADIUS configuration success or failure, completed reauthentications, and management logins (such as Telnet or SSH configured for external authentication). The event log displays engine activity since the NAC Manager client was launched and like NAC Manager Events, is an excellent source for historical information when performing a forensic investigation of a recent event.
• Audit Events – This tab provides information on Access Control Registration events such as when a device or user is added during the registration process, or an end-system is added, removed, or updated via the registration administration web page. It displays all registration activity since the client was launched.

For more information, see the Event View Help topic in the NAC Manager user guide.

Extreme Access Control Engine Real-time Status

Use the following tools to monitor Extreme Access Control engine real-time statistics, as well as view diagnostic information in the Access Control engine Administration Web Page (WebView), and Access Control information in the Extreme Management Center Administration tab.

NAC Appliances Tab

The NAC Appliances tab provides CPU and memory utilization statistics for all your Access Control engines. The CPU Load column shows the percentage of the engine's CPU that is currently being used. This value gives you an indication of how busy the engine is and helps you determine if your network needs additional engines, or if you need to change your network configuration so that the load is more evenly distributed among your existing engines.

NAC Appliances Tab

In addition to the information in the table, you can launch two FlexViews with CPU, memory, and disk utilization information from the right-click menu off one or more engine in the NAC Appliances tab.

Launch the CPU Utilization View (Host Processor Load FlexView).

Host Processor Load FlexView

Launch the Memory and Diskspace Utilization View (Host Storage FlexView).

Host Storage FlexView

Access ControlEngine Administration Web Page (WebView)

To access status and diagnostic information for an individual Access Control engine, launch WebView by right-clicking on an Access Control engine in the left-panel tree, as shown below. (You can also access the administration web page using the following URL: https://<Access ControlengineIP>:8444/Admin.)

The default user name and password for access to this web page is "admin/Extreme@pp." The username and password can be changed in NAC Manager using the Advanced Configuration window (available from the Tools menu > Manage Advanced Configurations) and selecting the Engine Settings > Miscellaneous Tab > Web Service Credentials field.

Launch WebView

The Home web page provides resource details such as current CPU and memory usage. Status details provide a Current and Maximum counter for many critical functions. Excessive authentication requests or failures are easily identified, including when the Max Reached value occurred. This helps to identify the severity of a current problem or match information with prior events when performing a forensic review.

	NOTES:	Memory usage is normally close to 100% to allow for better performance.

Engine Administration Web Page

For more information, see the Access Control Engine Administration Web Page section of the Access Control Deployment Guide, which is in the NAC Manager user guide.

Extreme Access Control Switches and Routers

When troubleshooting issues involving authentication, IP resolution, and re-authentication (etc.), the Switches & Routers page within WebView provides a variety of useful real-time data.

At the top, current and historical information is displayed on a per-switch basis. This provides insight into problems such as a single switch flooding the network with authentication requests, as well as comparative data that can be used to spot abnormalities such as a switch with a limited number of active end-systems showing an excessive number of authentications over the last month.

The Switch Configuration section is an overview of all switches assigned to the Access Control engine, the RADIUS response attributes they are configured for, and the SNMP credential the Access Control engine is using to communicate with the switch. This information can be used to identify whether the Access Control engine is using the current SNMP credentials to contact the switch. This can be confirmed under the Switch Dynamic Information where SNMP Contact will show as Contact Lost.

More critical information here, although perhaps more useful for support technicians, are the various workers assigned to each switch. These are dictated through the switch discovery process and detail how the Access Control engine performs various functions such as using RFC 3576 or Toggle Link for reauthentication of an end-system. The SNMP Contact is from the perspective of the Access Control engine to the switch, which may be different than from Management Center Console to the switch.

Engine Administration Web Page

Extreme Management Center Administration - Identity and Access

The Administration tab in Management Center has an Identity and Access section that provides detailed diagnostic and statistical information pertaining to advanced Access Control functions. Information on web service calls, events, and distributed cache can be reviewed for signs of unexpected or failing processes.

Most of the information is useful to Engineering and Support technicians. More information is available under System-Wide Management Center Server Diagnostics in the Management Center Troubleshooting section of the Management Center Technical Reference.

Administration Tab

Extreme Access Control Status

The NAC Status option (previously available from the NAC Appliances tab) has been updated and replaced by the Management Center Show Support functionality described in the Management Center Troubleshooting section of the Management Center Technical Reference.

The nacstatus command is still available from the Access Control engine CLI and can be executed to provide detailed data regarding the Access Control engine. However, the Show Support function is the recommended data collection vehicle, as it provides a comprehensive look into both the operation of the server as well as all active Access Control engines.

End-System Troubleshooting

Use the following tools to monitor and trouble-shoot end-system issues in NAC Manager.

End-System Events in NAC Manager

Troubleshooting specific end-system issues starts with end-system events. Events provide time-stamped logs of when specific events occurred. It is helpful to correlate these events with diagnostic log data.

NAC Manager End-Systems Tab

Engine End-System Diagnostics

To access end-system diagnostic information for a specific Access Control engine, launch the Access Control engine administration web page by right-clicking on an Access Control engine in the left-panel tree and selecting WebView, as shown below. (You can also access the administration web page using the following URL: https://<Access ControlengineIP>:8444/Admin.)

The default user name and password for access to this web page is "admin/Extreme@pp." The username and password can be changed in NAC Manager using the Advanced Configuration window (available from the Tools menu > Manage Advanced Configurations) and selecting the Engine Settings > Miscellaneous Tab > Web Service Credentials field.

Launch WebView

Expand the Diagnostics folder and select End System Diagnostics. Enable diagnostics for both MAC and IP address.

Targeting diagnostics for a specific end-system enables a majority of the debug diagnostics available on a global level, but only for the specific end-system. Therefore, diagnostics can be enabled for an extended period of time without the concern of generating the excessive log files that are possible when global diagnostics are enabled.

The log data is saved to the same location as the global diagnostics, in the /var/log/tag.log file of the Access Control engine. A log entry is made in the tag.log helping to locate the portion of the log from which to start a review.

2013-09-13 14:51:20,783 INFO [ESD] Enabling verbose diagnostics for MAC: 00-18-8B-D6-E6-0C

2013-09-13 14:51:38,195 INFO [ESD] Enabling verbose diagnostics for IP: 10.20.87.100

Engine End-System Diagnostics

End-System Diagnostic Information

There are a variety of end-system troubleshooting tools available in NAC Manager by right-clicking on an end-system.

Launch End-System Diagnostic Tools

• Configuration Evaluation Tool - Test the rules defined in your NAC Configuration in order to determine what behavior an end-system will encounter when it is authenticated on an Access Control engine.
• Port Monitor - View detailed port and switch status information for the selected end-system including: information from interface statistics, CoS and authentication information, the Reauth Interval and Quiet Period, the interface PVID, and errors on the port.
• PortView - View a variety of detailed port information and statistics presented in a network topology view. PortView displays the end-system in a graphical view based on how it connects to the network. From here, tabs are available that provide interface statistics, switch resource data, detailed Access Control end-system information, as well as NetFLow data, if enabled. A right-click on the switch opens menu options to drill into more specific switch-related data. For wireless end-systems, a Real Capture can be launched from this view providing real-time packet capture of end-system communications.
• Telnet to Switch - Launches a Telnet session to the switch the end-system is connected to.
• SSH to Switch - Launches a Secure Shell (SSH) session to the switch the end-system is connected to.
• Ping End-System - Open a window where you can ping the end-system to determine if it can be contacted. You can view the results of the ping in the log in the window. You can also click Clear to enter another IP address or host name, if you wish.

06/2017
7.1 Revision -00
Contents Subject to Change Without Notice