Header Only - DO NOT REMOVE - Extreme Networks

AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication


Userlevel 4
Hello, everybody,

I've experienced the following issue:

1) I've configured identity-management on all switches - it allowed me to get hostnames and usernames of my Windows machines per port
2) I've found out how to send these data to Netsight>Control>Endpoint - great!
3) But I wanted even more - to get Device Family&Device Type data - and I did - now I see whether my clients are Androids, Windows or MAC OSx.

The problem is I don't get data in User Name column in End-Systems anymore. What had happened?

There were no configuration changes in identity-management!

I've noticed also that for some Apple clients I get the following error (below). I am not sure they can connect to network now( Could I fix it somehow?


Many thanks in advance,
Ilya

15 replies

Userlevel 4
You need to configure DHCP snooping.

br
Volker
Userlevel 4
You need to configure DHCP snooping.

br
Volker
No, it is already configured. Beside of main DHCP server, DHCP requests are sent to both NAC servers too. This particular allows as to get such data as Device Family and Device Type. I get these data at the moment.

But I've stopped to get data from identity-Management such as UserName. I have no idea how to get it back(

Identity-Management is an EXOS feature which allow us to snoop Kerberos traffic which contain such data as hostname and AccountName (AD username).
Userlevel 4
You need to configure DHCP snooping.

br
Volker
Volker, may be you've meant this kind of dhcp-snooping?

"enable ip-security dhcp-snooping ports all violation-action none"

Should it be turned of along all the way from switch to AD Domain Controller Server?

Thank you!
Userlevel 7
You need to configure DHCP snooping.

br
Volker
Here the link for Extreme search..
https://www.extremenetworks.com/search/

If you search for "dhcp snooping" it's the first link.
Userlevel 2
You need to configure DHCP snooping.

br
Volker
I don't think dhcp snooping will give him usernames.
Userlevel 4
May be this is an answer?

"The Identity Manager role-based VLAN feature will not be enabled on Netlogin enabled ports."

from:

https://documentation.extremenetworks.com/exos/EXOS_21_1/Identity_Management/c_configuring-identity-...
Userlevel 4
May be this is an answer?

"The Identity Manager role-based VLAN feature will not be enabled on Netlogin enabled ports."

from:

https://documentation.extremenetworks.com/exos/EXOS_21_1/Identity_Management/c_configuring-identity-...

It's not...
Userlevel 7
As mentioned before I think the best is to either attend the official ExtremeControl class or pay a Extreme partner to configure it for/with you.
Userlevel 4
As mentioned before I think the best is to either attend the official ExtremeControl class or pay a Extreme partner to configure it for/with you.
This is not fun, Ronald...
Userlevel 7
As mentioned before I think the best is to either attend the official ExtremeControl class or pay a Extreme partner to configure it for/with you.
Never tried to be funny.
Userlevel 2
What does 'show identity-management entries' command on the switch show you? If you are getting names there, then maybe something is up with traffic making it to Netsight. Sometimes a reboot of Netsight will set things straight.
Userlevel 4
Hi, Brian,

E28-4.3.1.36 # sh identity-management entries
ID Name/ Flags Port MAC/ VLAN Role
Domain Name IP
--------------------------------------------------------------------------------
0004A32C2139 -m-- 4 00:04:a3:2c:21:39 Vlan16(1) authenticated
-- NA --
001E8C18C045 -m-- 16 00:1e:8c:18:c0:45 Vlan77(1) authenticated
-- NA --
14DAE9B5215D -m-- 7 14:da:e9:b5:21:5d Vlan16(1) authenticated
-- NA --
A0B3CC49A2FB -m-- 1 a0:b3:cc:49:a2:fb Vlan76(1) authenticated
-- NA --
C0A0BB6613BF -m-- 23 c0:a0:bb:66:13:bf Default(4) authenticated
-- NA --
D884668C1C32 -m-- 9 d8:84:66:8c:1c:32 Vlan22(1) authenticated
-- NA --
D884668C1C34 -m-- 11 d8:84:66:8c:1c:34 Vlan22(1) authenticated
-- NA --
D884668C1C3C -m-- 13 d8:84:66:8c:1c:3c Vlan22(1) authenticated
-- NA --
Unknown_3c:F7:A4:> ---- 9 3c:f7:a4:1d:07:b1 Vlan39(1) unauthentica>
10.11.32.180(1)
--------------------------------------------------------------------------------
Flags: k - Kerberos Snooping, l - LLDP Device,
m - NetLogin MAC-Based, w - NetLogin Web-Based,
x - NetLogin 802.1X
Legend: > - VLAN / ID Name / Domain / Role Name truncated to column width
(#) - Total # of associated VLANs/IPs
-- NA --- No IP or VLAN associated
Total number of entries: 9

E28-4.3.1.37 #

I've checked it. Something prevents Kerberos to be snooped by switches.

I think I've found the reason (It is just a guess). On core X670 switch ipmcforwarding was disabled for all VLANs. After I've turned it on after that get usernames in "show identity entries" output and Netsight from at least one edge switch.
Userlevel 6
Hello,

i see that you've been able to get it to work. I just wanted to add that in the first screenshot it looks like there is a mis-configuration with the AAA configuration that is not allowing 802.1x and that the MAC authenticated session is in a disconnected state.

I do not believe the NAC will perform an end system update if the end system that is being updated does not have an active session. if somehow the active session in NAC had become disconnected and NAC received username information I don't think we'll populate it due to no active session being found to update.

Thanks
-Ryan
Userlevel 4
Hello,

i see that you've been able to get it to work. I just wanted to add that in the first screenshot it looks like there is a mis-configuration with the AAA configuration that is not allowing 802.1x and that the MAC authenticated session is in a disconnected state.

I do not believe the NAC will perform an end system update if the end system that is being updated does not have an active session. if somehow the active session in NAC had become disconnected and NAC received username information I don't think we'll populate it due to no active session being found to update.

Thanks
-Ryan
Hi, Ryan,

actually I've got just very local success. From about 80 summits I get 10-20 rows only where AD username was recorded. I can't identify a pattern why happens so. All summits configurations are 98% identical. Almost all ports have Windows PC connected - so THERE IS kerberos traffic. There are should be thousands records because of 12000 + Windows workstations! It worked two weeks ago (but without OS Type and Version) and I suppose that the customer's admin had done something on the X670 core. As usual, he couldn't recall anything( What could it be? ACLs?

Please, share any ideas you have...

Many thanks in advance,

Ilya

This is what I have now:

Userlevel 2
Hello,

i see that you've been able to get it to work. I just wanted to add that in the first screenshot it looks like there is a mis-configuration with the AAA configuration that is not allowing 802.1x and that the MAC authenticated session is in a disconnected state.

I do not believe the NAC will perform an end system update if the end system that is being updated does not have an active session. if somehow the active session in NAC had become disconnected and NAC received username information I don't think we'll populate it due to no active session being found to update.

Thanks
-Ryan
If you are archiving the backups of the switch configs I'd look there for changes, do a compare with the recent backup with one when you were getting the records.

Reply