X460-G2 & Policy Manager: End User Sessions Username missing


Userlevel 4
  • Participator
  • 123 replies
Hi Guys,

I'm playing with EXOS 16.1, X460-G2 and Policy Manager / NAC ( NetSight 6.3) in my LAB and I found something odd.

When a user authenticates to any port of the X460-G2, in the Policy Manager Network Elements Tab -> Port Usage -> End User Sessions the Username shows as N/A (as Session ID).

In the old RED gear, it shows as expected but not on the new gear.

Looking at the X460-G2 console's, using a "show netlogin" the username is there...

When I added the switch to NAC Manager, it shows up the username with no problems.

I have customers with large B5's installed base, and some will now start using X450-G2/X460-G2, and many have no NAC, and use PM to find the username authenticated at ports.

Any ideas? Something still missing in this version?

Best regards,

-Leo

13 replies

Userlevel 4
Hello guys,

It's about 10 months and no answer... Any info?

Now I'm deploying a PoC with X460G2 on a customer large B5 installed base (XOS 21 and ECC 7) and the Username still not showing up...

Best regards,

_Leo
Userlevel 4
Hi guys,

Any news?

Best regards,

-Leo
Userlevel 6
Hi guys,

Any news?

Best regards,

-Leo
Wow...sorry this one has fallen through the cracks Leo.

We'll make sure we get you a response here.
Userlevel 6
Leo,

I think you need to enable identity management(IDM) with Kerberos snooping on the switch in order to get any username information without NAC. I believe Netsight only looks at IDM data and not netlogin data.

Here is a KCS article on how to setup IDM with Netsight and NAC. It should give you the configurations to use for a non NAC deployment.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configured-Identity-Management-for-...

User guide link as well:
http://documentation.extremenetworks.com/exos/EXOS_21_1/Identity_Management/c_configuring-identity-m...

Let me know if you get it working.

Stephen
Userlevel 4
Hi Stephen,

I've tried following the guide but it still not working (on "OneView" or PM).

Any ideas?

Best regards,

-Leo
Userlevel 6
Leonardo,

Thanks for being very patient. I have created a new article just for your situation. Go through it and let me know if it worked for you.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-use-EXOS-and-IDM-to-see-end-systems...

Stephen
Userlevel 7
Leonardo,

Thanks for being very patient. I have created a new article just for your situation. Go through it and let me know if it worked for you.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-use-EXOS-and-IDM-to-see-end-systems...

Stephen

Hi Stephen,

I think there is a typo regarding the SSH module in the article. You wrote:
EXOS 16.2 and 21.1 and older have SSH already installed.Should it not be EXOS 16.2 and 21.1 and newer have SSH already installed?

Thanks,
Erik
Userlevel 6
Leonardo,

Thanks for being very patient. I have created a new article just for your situation. Go through it and let me know if it worked for you.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-use-EXOS-and-IDM-to-see-end-systems...

Stephen

Thanks, good catch! It's fixed now.
Userlevel 4
Hi Stephen,

Thanks for the guide...

I've double checked the config I've created with your guide and looks the same, but I'm still missing something...

The "show xml-notification statistics" is showing a "Connection Status: fail"...

The configured user for xml-notifications can access the Oneview interface.

Something that can be relevant: the customer's Netsight install don't have a valid certificate (Netsight auto generated cert) configured to accept all certs (server and client).

Any ideias?

Best regards
Userlevel 6
You can try going to the XML url in your PC browser and see if you can login with that user.

https://x.x.x.x:8443/axis/services/event

You will see a page like this:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
The endpoint reference (EPR) for the Operation not found is /axis/services/event and the WSA Action = null
[/code]
Userlevel 4
I've already tried this tip, and was able to login, but got a "500 Internal Server Error" on Internet Explorer.

(I couldn't try with another browser, because of the customer's security policy).

Enabling the Verbose logging for OneView Web Applications, I can see a lot of logs, all coming from the Wireless Controllers, but nothing from the switch.

Maybe we have some Netsight server problem?

Best regards,

-Leo
Userlevel 6
I got the same thing when using IE. If the password was wrong you would get a 401 message.

Did you make sure you selected the correct VR when setting up the XML notifications?
Userlevel 4
Hi Stephen,

I got back to this issue now, because our long-term EOS customer started to refresh the old gear for X440-G2.

The same issue arises as happened in my lab... The xml-notification can't connect to the EMC (using the guide posted at the gtacknowledge)... The customer is running EMC 7.1.2.12 and EXOS 21.1.1.4-patch1-5.

X440-G2-RH-01.8 # sh xml-notification configuration
Target Name : netsight-target_172.18.1.50
Server URL : https://172.18.1.50:8443/axis/services/event (VR-Default)
Server User Name : xmlnotification
Enabled : yes
Queue Size : 100
Connection Status : fail
Source IP Address : 172.18.3.253
Configured Modules : idMgr[/code]X440-G2-RH-01.9 # sh xml-notification statistics
Target Name : netsight-target_172.18.1.50
Server URL : https://172.18.1.50:8443/axis/services/event
Server Queue Size : 100
Enabled : yes
Connection Status : fail
Events Received : 5
Connection Failures : 3
Events Sent Success : 0
Events Sent Failed : 5
Events Dropped : 0[/code]X440-G2-RH-01.14 # sh ssl
HTTPS Port Number: 443 (Enabled)
Signature Algorithm configured: sha512 With RSA Encryption
Private Key matches the Certificate's public key.
RSA Private Key: 2048
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=US, O=Extreme Networks, CN=mX440-G2-RH-01
Validity
Not Before: Jul 10 12:59:02 2017 GMT
Not After : Jul 10 12:59:02 2018 GMT
Subject: C=US, O=Extreme Networks, CN=mX440-G2-RH-01
Manufacturing certificate: Present[/code]

In my lab I found the same issue: With the SAME config, on EXOS 21 it can't connect to EMC, but booting to the EXOS 22 it works fine.

The community and gtacknowledge posts said it works since EXOS 15, and I can't upgrade to EXOS 22 until the next customer maintenance window.

Any ideas?

Regards,

-Leo

Reply