Analytics & Visibility

 View Only
  • 1.  Kerberos Snooping with 802.1X

    Posted 05-07-2014 13:23
    Hi, Kerberos Snooping allows getting Username Information if a client is authenticated via MAC. But if the client is authenticated via 802.1X through its computer account, the Kerberos Information is ignored. This is reasonable as both (Kerberos and .1X) use the username column and the 802.1X authentication is more confiding. As a result it is not possible to get the information which user is logged into the client.

    It is possible to do a user based 802.1X authentication but when it comes to EAP-TLS it is much more overhead to deal with user certificates then with computer certificates. Another point against user authentication is if PEAP is used. In this case the user could use any client in which he enters his credentials.

    A solution for this could be a new column in the NAC Manager e.g. "Kerberos Username" which is filled through the kerberos handler. Especially as the purple Extreme switches can do the Kerberos Snooping in the switch, this feature would be very interesting in the near

    I hope this feature will be included soon. What do you think about?

    Best Regards

  • 2.  RE: Kerberos Snooping with 802.1X

    Posted 07-28-2017 11:13
    Is this feature available ???

  • 3.  RE: Kerberos Snooping with 802.1X

    Posted 07-28-2017 11:13
    After discussion with my co-workers - we believe this feature is available (Netsight V7.x) if you mirror login traffic to NAC appliance (DHCP/kerberos snooping is active by default).
    End-System Cache should distribute this information to Netsight aka NAC Manager Client ...