Additional data for Identity-Management from NAC's DHCP\Kerberos snooping - how it works?

  • 0
  • 1
  • Problem
  • Updated 1 year ago
  • Solved
Hello, everybody,

I've configured IM on Summits and send the data to Netsight. I get IP, MAC, sometimes hostnames and usernames. It works fine!

I've been told that if I connect NAC appliance to my Netsight and attach one of its interfaces to the network where DHCP works, I could have also Device Type and Operating System data.

I did, but there is no additional data received. From Netsight I see NAC as "green" device and it seems like everything is OK. But in NAC appliance I see the strange message: "Problems Detected (appliance cannot connect to management server".

How can I fix this? Is it related to absense of additional data in Netsight from IM?

Many thanks in advance,

Ilya
Photo of Ilya Semenov

Ilya Semenov

  • 4,408 Points 4k badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,020 Points 5k badge 2x thumb
Hi Ilya

When you complete the installation wizard for NAC it asks for the IP address of NMS.
Did you correctly enter the NMS IP?
I would run nacconfig again and ensure that these are set correctly.

Also what interface did you connect to the vlan with the DHCP.
I have found that the best way would be to just add the NAC as an additional IP helper address on the vlan interface. This way not additional NAC interfaces is required.

Thx
Andre
Photo of Ilya Semenov

Ilya Semenov

  • 4,408 Points 4k badge 2x thumb
Hello, Andre!

Could you please explain that: "add the NAC as an additional IP helper address on the vlan interface."

At the moment I have just VLAN1 and one subnet 192.168.12.0/23... Both NAC and DHCP Server (WS 2012) are on the same subnet. 

Please?
Photo of Ilya Semenov

Ilya Semenov

  • 4,408 Points 4k badge 2x thumb
I've found one more possible reason for it doesn't work...

I deleted and added appliance again, but it didn't help...
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,020 Points 5k badge 2x thumb
So from the sound of things you have a single vlan so then no need for ip helpes (Only required if you have multiple vlans).

DHCP is a broadcast so the information will hit the NAC in the client vlan.
No need for additional config.

All you will need to ensure is the following:
During initial wizard, ensure that you typed the NMS IP correctly.
Discover the NAC appliance in NMS
Under control, add Switches to the NAC for authentication.
Enbale auth on the switches and you should be good to go.
Photo of Ilya Semenov

Ilya Semenov

  • 4,408 Points 4k badge 2x thumb
Andre,

I did everything, except "Enable auth on the switches and you should be good to go."

What kind of authentication you are talking about?

Thank you!
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,020 Points 5k badge 2x thumb
Mac Authentication is always good because the NAC will allow this always by default.

enable netlogin mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "Iqzcvu~67"
enable netlogin ports 3-46 mac
configure netlogin mac username format hyphenated
Photo of Ilya Semenov

Ilya Semenov

  • 4,408 Points 4k badge 2x thumb
I am very sorry, Andre...

But what will exactly happen when I input such commands on a switch?

Users will be prompted to enter their MACs? And should I have to save their static macs or make kind of binding?

I've never been experienced with netlogin before...