Wireless (General)

Expand all | Collapse all

AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

Ilya Semenov

Ilya Semenov01-19-2018 09:04

Ilya Semenov

Ilya Semenov01-19-2018 12:40

Ronald Dvorak

Ronald Dvorak01-19-2018 12:40

  • 1.  AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-19-2018 07:00
    Hello, everybody,

    I've experienced the following issue:

    1) I've configured identity-management on all switches - it allowed me to get hostnames and usernames of my Windows machines per port
    2) I've found out how to send these data to Netsight>Control>Endpoint - great!
    3) But I wanted even more - to get Device Family&Device Type data - and I did - now I see whether my clients are Androids, Windows or MAC OSx.

    The problem is I don't get data in User Name column in End-Systems anymore. What had happened?

    There were no configuration changes in identity-management!

    I've noticed also that for some Apple clients I get the following error (below). I am not sure they can connect to network now( Could I fix it somehow?


    Many thanks in advance,
    Ilya


  • 2.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-19-2018 07:07
    You need to configure DHCP snooping.

    br
    Volker


  • 3.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-19-2018 09:04
    May be this is an answer?

    "The Identity Manager role-based VLAN feature will not be enabled on Netlogin enabled ports."

    from:

    https://documentation.extremenetworks.com/exos/EXOS_21_1/Identity_Management/c_configuring-identity-...



  • 4.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-19-2018 12:40
    As mentioned before I think the best is to either attend the official ExtremeControl class or pay a Extreme partner to configure it for/with you.


  • 5.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-19-2018 13:42
    What does 'show identity-management entries' command on the switch show you? If you are getting names there, then maybe something is up with traffic making it to Netsight. Sometimes a reboot of Netsight will set things straight.


  • 6.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-19-2018 13:49
    Hi, Brian,

    E28-4.3.1.36 # sh identity-management entries
    ID Name/ Flags Port MAC/ VLAN Role
    Domain Name IP
    --------------------------------------------------------------------------------
    0004A32C2139 -m-- 4 00:04:a3:2c:21:39 Vlan16(1) authenticated
    -- NA --
    001E8C18C045 -m-- 16 00:1e:8c:18:c0:45 Vlan77(1) authenticated
    -- NA --
    14DAE9B5215D -m-- 7 14:da:e9:b5:21:5d Vlan16(1) authenticated
    -- NA --
    A0B3CC49A2FB -m-- 1 a0:b3:cc:49:a2:fb Vlan76(1) authenticated
    -- NA --
    C0A0BB6613BF -m-- 23 c0:a0:bb:66:13:bf Default(4) authenticated
    -- NA --
    D884668C1C32 -m-- 9 d8:84:66:8c:1c:32 Vlan22(1) authenticated
    -- NA --
    D884668C1C34 -m-- 11 d8:84:66:8c:1c:34 Vlan22(1) authenticated
    -- NA --
    D884668C1C3C -m-- 13 d8:84:66:8c:1c:3c Vlan22(1) authenticated
    -- NA --
    Unknown_3c:F7:A4:> ---- 9 3c:f7:a4:1d:07:b1 Vlan39(1) unauthentica>
    10.11.32.180(1)
    --------------------------------------------------------------------------------
    Flags: k - Kerberos Snooping, l - LLDP Device,
    m - NetLogin MAC-Based, w - NetLogin Web-Based,
    x - NetLogin 802.1X
    Legend: > - VLAN / ID Name / Domain / Role Name truncated to column width
    (#) - Total # of associated VLANs/IPs
    -- NA --- No IP or VLAN associated
    Total number of entries: 9

    E28-4.3.1.37 #

    I've checked it. Something prevents Kerberos to be snooped by switches.

    I think I've found the reason (It is just a guess). On core X670 switch ipmcforwarding was disabled for all VLANs. After I've turned it on after that get usernames in "show identity entries" output and Netsight from at least one edge switch.



  • 7.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-22-2018 16:54
    Hello,

    i see that you've been able to get it to work. I just wanted to add that in the first screenshot it looks like there is a mis-configuration with the AAA configuration that is not allowing 802.1x and that the MAC authenticated session is in a disconnected state.

    I do not believe the NAC will perform an end system update if the end system that is being updated does not have an active session. if somehow the active session in NAC had become disconnected and NAC received username information I don't think we'll populate it due to no active session being found to update.

    Thanks
    -Ryan


  • 8.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-19-2018 07:07
    No, it is already configured. Beside of main DHCP server, DHCP requests are sent to both NAC servers too. This particular allows as to get such data as Device Family and Device Type. I get these data at the moment.

    But I've stopped to get data from identity-Management such as UserName. I have no idea how to get it back(

    Identity-Management is an EXOS feature which allow us to snoop Kerberos traffic which contain such data as hostname and AccountName (AD username).


  • 9.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-19-2018 07:07
    Volker, may be you've meant this kind of dhcp-snooping?

    "enable ip-security dhcp-snooping


  • 10.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-19-2018 07:07
    Here the link for Extreme search..
    https://www.extremenetworks.com/search/

    If you search for "dhcp snooping" it's the first link.


  • 11.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-19-2018 07:07
    I don't think dhcp snooping will give him usernames.


  • 12.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-19-2018 09:04
    It's not...


  • 13.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-19-2018 12:40
    This is not fun, Ronald...


  • 14.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-19-2018 12:40
    Never tried to be funny.


  • 15.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-22-2018 16:54
    Hi, Ryan,

    actually I've got just very local success. From about 80 summits I get 10-20 rows only where AD username was recorded. I can't identify a pattern why happens so. All summits configurations are 98% identical. Almost all ports have Windows PC connected - so THERE IS kerberos traffic. There are should be thousands records because of 12000 + Windows workstations! It worked two weeks ago (but without OS Type and Version) and I suppose that the customer's admin had done something on the X670 core. As usual, he couldn't recall anything( What could it be? ACLs?

    Please, share any ideas you have...

    Many thanks in advance,

    Ilya

    This is what I have now:



  • 16.  RE: AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

    Posted 01-22-2018 16:54
    If you are archiving the backups of the switch configs I'd look there for changes, do a compare with the recent backup with one when you were getting the records.