ExtremeCloud IQ- Site Engine & Extreme Management Center

Expand all | Collapse all

show username in OneView if I do 802.1x with computer certificate

  • 1.  show username in OneView if I do 802.1x with computer certificate

    Posted 08-29-2017 08:26
    Hello everybody

    have an extreme switch (x430-8p) which has configured port 1 like this:
    configure netlogin vlan v0889-netlogin
    enable netlogin dot1x mac
    configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
    enable netlogin ports 1 dot1x
    enable netlogin ports 1 mac
    configure netlogin ports 1 mode mac-based-vlans
    configure netlogin ports 1 no-restart
    enable netlogin authentication failure vlan ports 1
    enable netlogin authentication service-unavailable vlan ports 1
    configure netlogin authentication failure vlan vgast ports 1
    configure netlogin authentication service-unavailable vlan vgast ports 1

    On the Extreme NAC I have configured a 802.1x Policy:
    Authentication: 802.1x (EAP-TLS)
    user: LDAP User-group
    Location: this switch (x430-8p)
    Profile: returns a accept policy with a VLAN Tag.

    This works fine so far.

    But now, I see in OneView as user name only the computer name (host/xxxxx).
    How can I get there the real username (for example. user.xy@domain.com).
    Do I have to use Kerberos too?

    Thank you,
    Br, Yves



  • 2.  RE: show username in OneView if I do 802.1x with computer certificate

    Posted 08-29-2017 09:08
    No you do not have to use Kerberos.

    Most probably you did not enable Computer and User authentication on your windows IEEE 802.1x client so you only authenticate Computer. You also need User certificates to allow user authentication.


  • 3.  RE: show username in OneView if I do 802.1x with computer certificate

    Posted 08-29-2017 09:36
    Hi Piotr,

    but I have only a computer certificate in the GPO configured.
    Is there nevertheless a way to get the username?

    I see attached the end-system-details.
    the 4th rule is only a kerberos passthrough, which shows the username. But in the summy endsystem-view, I see only the lates rule (1st rule), which shows the computer name instead the user name). Do you know what I mean?




  • 4.  RE: show username in OneView if I do 802.1x with computer certificate

    Posted 08-29-2017 10:08
    Hello,

    NAC can only display the username if it has been provided either by 802.1x authentication, or Kerberos snooping. If the end system is not configured to authenticate with "user and computer" authentication this information will never be provided and NAC won't be able to display it.

    Thanks
    -Ryan


  • 5.  RE: show username in OneView if I do 802.1x with computer certificate

    Posted 08-29-2017 10:24
    Kerberos is tricky. If you login to domain NAC can snoop user name but if your user will map a network drive and will choose different username than kerberos will update username in NAC which can lead to policy change. So I am not a fun of kerberos in such scenario.

    If you want to do it right you need user certificates. It is not so complicated as you can get user certificates using auto-enrolment in Active Directory so whenever a user will log into Windows Client and Windows will not have user certificate than Windows AD will create and/or download certificate to Windows Client. Then you will have your username.


  • 6.  RE: show username in OneView if I do 802.1x with computer certificate

    Posted 08-29-2017 10:37
    Hello Ryan and Piotr,

    okay, thanks for your feedback. I see your points.
    I will check this.

    Thanks, Yves