Network Access Control

Hi

We are experiencing problems when we create additional radius groups under the LAN Enforcer group.

After we create the second radius group, we assign it to a switch.

When we save the configuration, on the summary screen of the Lan enforcer groups we can see the 2 different IP address of the 2 radius groups (containing 1 radius server each one).

When we open again the lan enforcer group configuration, we see only the first radius group defined. As you can see, in the summary there  are two radius server defined.

In the server group properties you can see only the first group created (10.40.1.163).… there was the second one called Radius_Proxy_Group_Collaudo, with the server 10.40.1.164, that disappeared! Please see the picture below:

All the switches that were using this radius group were reverted to the only one defined.

Partner experienced this issue also in other environments.

Other info on the environment:

• 2 sites with two SEPM and replication enabled (the issue persists also if we use 1 site without replication!)
• SEPM 12.1.3
• NAC Appliances 12.1.2

Many Thanks,

Regards,

_______________________________________________

Fabio Giorgio
Technical Account Manager, Symantec Corporation 

fabio_giorgio@symantec.com

_______________________________________________

Quick question, when you say " issue persists also if we use 1 site without replication" does this mean replication was broken and radius group addition attempted, or was this on an entirely different SEP environment?

Hi,

I mean that, for this customer, we tried to broke replication  and we attempted radius group addition (for those LAN enforcer registered on that SEPM) without success; nevertheless our partner reported this behvaior also for other customers with one site configuration without any replication.

Many thanks,

Regards,

Fabio

Hi

if we try to export the Lan Enforcer group, we can see both radius groups... but i do not know why, in the console, it disappear soon after we save the configuration.

The first time the new group had worked for 1 or 2 hours. As soon as we made a change to the Action Table of a switch, we saw that the radius group disappeared, and all the switch policies configured to use that group, reverted to the only one still visible.

If we try to add any new group, it disappear as soon as we add them, but the IP address of the radius server, is visible on the summary of the LAN enforcer group.

I think it is a database error somewhere. Actually the SNAC is on version 12.1.3, but i saw this random behaviour since the version 11.x.

When this behaviour starts, sometime it appears an Unknown Error, on the bottom of the screen.

I think there is some pocedure that do some mistake on the DB table related to the Lan Enforcer group configuration, and after that only a db table cleaning can solve the issue.

If i do a LAN enforcer group configuration export, in the XML i can see the other radius group. But i do not know why it is not visible on the console.

Regards

Fabrizio

Hi,

any comment or suggestion on this issue?

Many thanks to all.

Regards,

I'm afraid this is not something I've encountered myself so I don't know what the issue is.  As has been mentioned, it sounds as if there's an issue with the SEPM correctly displaying/processing the radius group.

The things that come to mind to investigate (likely to already be covered by support) would be to spin up a new SEPM and restore a backup to it from the current SEPM exhibiting the issues (to see if it is a cosmetic issue).

Another would be to change the SEPM to running off of a SQL DB, then run some SQL traces to see if there are any DB interaction errors going on (something more for your DBAs if you have them).