ExtremeCloud IQ- Site Engine & Extreme Management Center

  • 1.  Additional data for Identity-Management from NAC's DHCP\Kerberos snooping - how it works?

    Posted 05-25-2017 06:37
    Hello, everybody,

    I've configured IM on Summits and send the data to Netsight. I get IP, MAC, sometimes hostnames and usernames. It works fine!

    I've been told that if I connect NAC appliance to my Netsight and attach one of its interfaces to the network where DHCP works, I could have also Device Type and Operating System data.

    I did, but there is no additional data received. From Netsight I see NAC as "green" device and it seems like everything is OK. But in NAC appliance I see the strange message: "Problems Detected (appliance cannot connect to management server".

    How can I fix this? Is it related to absense of additional data in Netsight from IM?

    Many thanks in advance,

    Ilya





  • 2.  RE: Additional data for Identity-Management from NAC's DHCP\Kerberos snooping - how it works?

    Posted 05-25-2017 07:27
    Hi Ilya

    When you complete the installation wizard for NAC it asks for the IP address of NMS.
    Did you correctly enter the NMS IP?
    I would run nacconfig again and ensure that these are set correctly.

    Also what interface did you connect to the vlan with the DHCP.
    I have found that the best way would be to just add the NAC as an additional IP helper address on the vlan interface. This way not additional NAC interfaces is required.

    Thx
    Andre



  • 3.  RE: Additional data for Identity-Management from NAC's DHCP\Kerberos snooping - how it works?

    Posted 05-25-2017 07:27
    Hello, Andre!

    Could you please explain that: "add the NAC as an additional IP helper address on the vlan interface."

    At the moment I have just VLAN1 and one subnet 192.168.12.0/23... Both NAC and DHCP Server (WS 2012) are on the same subnet.

    Please?



  • 4.  RE: Additional data for Identity-Management from NAC's DHCP\Kerberos snooping - how it works?

    Posted 05-25-2017 07:59
    I've found one more possible reason for it doesn't work...

    I deleted and added appliance again, but it didn't help...





  • 5.  RE: Additional data for Identity-Management from NAC's DHCP\Kerberos snooping - how it works?

    Posted 05-25-2017 08:31
    So from the sound of things you have a single vlan so then no need for ip helpes (Only required if you have multiple vlans).

    DHCP is a broadcast so the information will hit the NAC in the client vlan.
    No need for additional config.

    All you will need to ensure is the following:
    During initial wizard, ensure that you typed the NMS IP correctly.
    Discover the NAC appliance in NMS
    Under control, add Switches to the NAC for authentication.
    Enbale auth on the switches and you should be good to go.



  • 6.  RE: Additional data for Identity-Management from NAC's DHCP\Kerberos snooping - how it works?

    Posted 05-25-2017 08:31
    Andre,

    I did everything, except "Enable auth on the switches and you should be good to go."

    What kind of authentication you are talking about?

    Thank you!


  • 7.  RE: Additional data for Identity-Management from NAC's DHCP\Kerberos snooping - how it works?

    Posted 05-25-2017 08:31
    Mac Authentication is always good because the NAC will allow this always by default.

    enable netlogin mac
    configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "Iqzcvu~67"
    enable netlogin ports 3-46 mac
    configure netlogin mac username format hyphenated


  • 8.  RE: Additional data for Identity-Management from NAC's DHCP\Kerberos snooping - how it works?

    Posted 05-25-2017 08:31
    I am very sorry, Andre...

    But what will exactly happen when I input such commands on a switch?

    Users will be prompted to enter their MACs? And should I have to save their static macs or make kind of binding?

    I've never been experienced with netlogin before...