4.5.8. Troubleshooting

The following diagram displays the flow to follow when identifying problems in the BYOD Wired Workflow:

As shown, the MAB authentication performed by the network device is the first action when the user device connects to the network.

Since this is the user’s first time connecting, the policy evaluation determines that they should be placed in the “REGISTRATION” VLAN.

To verify RADIUS authentication (MAB):

tail -100f /var/log/radius/radius.log

• Alternatively, use the raddtest command for more detailed debugging.

To confirm that the policy evaluation is correct, check the poleval log:

tail -100f /var/log/opennac/opennac-poleval.log

When the user attempts to access a website, the poisoned DNS server will redirect them to the captive portal. To verify DNS (if using ON Core):

• To check if the user has connectivity with the OpenNAC Enterprise:

tcpdump -Nnl -i eth0 host <IP HOST>

• TTo verify if dnsmasq is listening:

netstat -anp | grep 5

At this point, the user can complete the Captive Portal process.

If issues arise at this stage, review the following logs:

Captive Portal log:

tail -100f /var/log/opennac/opennac-captive.log

Note

Remember to check this log on the machine where the Captive Portal is installed.

If there are problems with user authentication, verify connectivity with the AD by using:

ntlm_auth --request-nt-key --domain=MYCOMPANY --username=testUser

API log:

tail -100f /var/log/opennac/opennac-api.log

Once the Captive Portal workflow is completed, a session re-evaluation will be performed, and the device should be moved to the appropriate VLAN.

For re-evaluation, a TogglePort will be executed. Review the log for this process:

tail -100f /var/log/opennac/opennac-queues.log