AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

  • 0
  • 1
  • Problem
  • Updated 6 months ago
  • Solved
Hello, everybody,

I've experienced the following issue:

1) I've configured identity-management on all switches - it allowed me to get hostnames and usernames of my Windows machines per port
2) I've found out how to send these data to Netsight>Control>Endpoint - great!
3) But I wanted even more - to get Device Family&Device Type data - and I did - now I see whether my clients are Androids, Windows or MAC OSx.

The problem is I don't get data in User Name column in End-Systems anymore. What had happened? 

There were no configuration changes in identity-management!

I've noticed also that for some Apple clients I get the following error (below). I am not sure they can connect to network now( Could I fix it somehow?


Many thanks in advance,
Ilya
Photo of Ilya Semenov

Ilya Semenov

  • 4,462 Points 4k badge 2x thumb

Posted 6 months ago

  • 0
  • 1
Photo of Volker Kull

Volker Kull

  • 1,670 Points 1k badge 2x thumb
You need to configure DHCP snooping.

br
Volker
Photo of Ilya Semenov

Ilya Semenov

  • 4,462 Points 4k badge 2x thumb
No, it is already configured. Beside of main DHCP server, DHCP requests are sent to both NAC servers too. This particular allows as to get such data as Device Family and Device Type. I get these data at the moment.

But I've stopped to get data from identity-Management such as UserName. I have no idea how to get it back(

Identity-Management is an EXOS feature which allow us to snoop Kerberos traffic which contain such data as hostname and AccountName (AD username).
Photo of Ilya Semenov

Ilya Semenov

  • 4,462 Points 4k badge 2x thumb
Volker, may be you've meant this kind of dhcp-snooping?

"enable ip-security dhcp-snooping <vlan> ports all violation-action none"

Should it be turned of along all the way from switch to AD Domain Controller Server?

Thank you!
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,586 Points 20k badge 2x thumb
Here the link for Extreme search..
https://www.extremenetworks.com/search/

If you search for "dhcp snooping" it's the first link.
Photo of Brian Anderson

Brian Anderson

  • 722 Points 500 badge 2x thumb
I don't think dhcp snooping will give him usernames.
Photo of Ilya Semenov

Ilya Semenov

  • 4,462 Points 4k badge 2x thumb
May be this is an answer?


"The Identity Manager role-based VLAN feature will not be enabled on Netlogin enabled ports."

from:

https://documentation.extremenetworks.com/exos/EXOS_21_1/Identity_Management/c_configuring-identity-...
Photo of Ilya Semenov

Ilya Semenov

  • 4,462 Points 4k badge 2x thumb
It's not...
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,586 Points 20k badge 2x thumb
As mentioned before I think the best is to either attend the official ExtremeControl class or pay a Extreme partner to configure it for/with you.
Photo of Ilya Semenov

Ilya Semenov

  • 4,462 Points 4k badge 2x thumb
This is not fun, Ronald...
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,586 Points 20k badge 2x thumb
Never tried to be funny.
Photo of Brian Anderson

Brian Anderson

  • 722 Points 500 badge 2x thumb
What does 'show identity-management entries' command on the switch show you?  If you are getting names there, then maybe something is up with traffic making it to Netsight.  Sometimes a reboot of Netsight will set things straight.
Photo of Ilya Semenov

Ilya Semenov

  • 4,462 Points 4k badge 2x thumb
Hi, Brian,

E28-4.3.1.36 # sh identity-management entries
ID Name/          Flags  Port        MAC/          VLAN            Role
Domain Name                          IP
--------------------------------------------------------------------------------
0004A32C2139       -m--  4      00:04:a3:2c:21:39  Vlan16(1)       authenticated
                                -- NA --
001E8C18C045       -m--  16     00:1e:8c:18:c0:45  Vlan77(1)       authenticated
                                -- NA --
14DAE9B5215D       -m--  7      14:da:e9:b5:21:5d  Vlan16(1)       authenticated
                                -- NA --
A0B3CC49A2FB       -m--  1      a0:b3:cc:49:a2:fb  Vlan76(1)       authenticated
                                -- NA --
C0A0BB6613BF       -m--  23     c0:a0:bb:66:13:bf  Default(4)      authenticated
                                -- NA --
D884668C1C32       -m--  9      d8:84:66:8c:1c:32  Vlan22(1)       authenticated
                                -- NA --
D884668C1C34       -m--  11     d8:84:66:8c:1c:34  Vlan22(1)       authenticated
                                -- NA --
D884668C1C3C       -m--  13     d8:84:66:8c:1c:3c  Vlan22(1)       authenticated
                                -- NA --
Unknown_3c:F7:A4:> ----  9      3c:f7:a4:1d:07:b1  Vlan39(1)       unauthentica>
                                10.11.32.180(1)
--------------------------------------------------------------------------------
 Flags:               k - Kerberos Snooping, l - LLDP Device,
                      m - NetLogin MAC-Based, w - NetLogin Web-Based,
                      x - NetLogin 802.1X
 Legend: >      - VLAN / ID Name / Domain / Role Name truncated to column width
        (#)     - Total # of associated VLANs/IPs
        -- NA --- No IP or VLAN associated
 Total number of entries: 9

E28-4.3.1.37 #

I've checked it. Something prevents Kerberos to be snooped by switches.

I think I've found the reason (It is just a guess). On core X670 switch ipmcforwarding was disabled for all VLANs. After I've turned it on after that get usernames in "show identity entries" output and Netsight from at least one edge switch.
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,014 Points 5k badge 2x thumb
Hello,

i see that you've been able to get it to work. I just wanted to add that in the first screenshot it looks like there is a mis-configuration with the AAA configuration that is not allowing 802.1x and that the MAC authenticated session is in a disconnected state. 

I do not believe the NAC will perform an end system update if the end system that is being updated does not have an active session.  if somehow the active session in NAC had become disconnected and NAC received username information I don't think we'll populate it due to no active session being found to update.

Thanks
-Ryan 
Photo of Ilya Semenov

Ilya Semenov

  • 4,462 Points 4k badge 2x thumb
Hi, Ryan,

actually I've got just very local success. From about 80 summits I get 10-20 rows only where AD username was recorded. I can't identify a pattern why happens so. All summits configurations are 98% identical. Almost all ports have Windows PC connected - so THERE IS kerberos traffic. There are should be thousands records because of 12000 + Windows workstations! It worked two weeks ago (but without OS Type and Version) and I suppose that the customer's admin had done something on the X670 core. As usual, he couldn't recall anything( What could it be? ACLs?

Please, share any ideas you have...

Many thanks in advance,

Ilya

This is what I have now:

(Edited)
Photo of Brian Anderson

Brian Anderson

  • 722 Points 500 badge 2x thumb
If you are archiving the backups of the switch configs I'd look there for changes, do a compare with the recent backup with one when you were getting the records.