ExtremeCloud IQ- Site Engine & Extreme Management Center

  • 1.  Kerberos Snooping

    Posted 06-09-2015 10:57
    Hi together,

    i want to use Kerberos Snooping for the authentification of my clients against nac appliance.
    The Access Switch is an Enterasys B5 Switch.
    Is it possible with that switch or do i need a switch which supports Kerberos snooping?
    I have tried Kerberos Snooping but it doesnt work with my Enterasys B5.

    Greetings Ronny

  • 2.  RE: Kerberos Snooping

    Posted 06-09-2015 11:40
    Ronny, the B5 typically is deployed with dot1x and or mac-authentication using radius between switch and NAC.
    The XOS based switches can support Kerberos snooping as authentication mechanism with the NAC in 6.2.
    Also other devices supporting Kerberos snooping are supported as well with the NAC, typically for host-name resolution, but also can promote access rights.

  • 3.  RE: Kerberos Snooping

    Posted 06-10-2015 07:18
    Hi Ronny,

    maybe it is worth to do one step back. Why do you want to do Kerberos Snooping for authentication? IEEE 802.1X is much more reliable. Kerberos Snooping makes much sense if you do just MAC Authentication but you also want to know which user is logged in. Then you could do MAC Auth on the B5 an mirror the Kerberos Traffic (e.g. from S-Series) to a sniffing Port of the NAC Appliance.

    Please explain us your aims so maybe together we find the best solution for you.


  • 4.  RE: Kerberos Snooping

    Posted 06-10-2015 10:44
    you're right i forgot that i have to do mac authentification before the client can authentificate to the AD. So in my mind was the idea of a client, where nothing is to configure like 802.1x.
    But when i do mac authentification, i have to permit traffic to the domain controller for any unknown clients (because mac authentification is senseless), and i don't want to permit this.
    I'm using now 802.1X.

    Thanks for the replys