Kerberos Snooping

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi together,

i want to use Kerberos Snooping for the authentification of my clients against nac appliance.
The Access Switch is an Enterasys B5 Switch.
Is it possible with that switch or do i need a switch which supports Kerberos snooping?
I have tried Kerberos Snooping but it doesnt work with my Enterasys B5.

Greetings Ronny
Photo of Ronny Engelhardt

Ronny Engelhardt

  • 310 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,650 Points 5k badge 2x thumb
Ronny, the B5 typically is deployed with dot1x and or mac-authentication using radius between switch and NAC.
The XOS based switches can support Kerberos snooping as authentication mechanism with the NAC in 6.2.
Also other devices supporting Kerberos snooping are supported as well with the NAC, typically for host-name resolution, but also can promote access rights.
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
Hi Ronny,

maybe it is worth to do one step back. Why do you want to do Kerberos Snooping for authentication? IEEE 802.1X is much more reliable. Kerberos Snooping makes much sense if you do just MAC Authentication but you also want to know which user is logged in. Then you could do MAC Auth on the B5 an mirror the Kerberos Traffic (e.g. from S-Series) to a sniffing Port of the NAC Appliance.

Please explain us your aims so maybe together we find the best solution for you.

Regards
Michael
Photo of Ronny Engelhardt

Ronny Engelhardt

  • 310 Points 250 badge 2x thumb
Hi,
you're right i forgot that i have to do mac authentification before the client can authentificate to the AD. So in my mind was the idea of a client, where nothing is to configure like 802.1x.
But when i do mac authentification, i have to permit traffic to the domain controller for any unknown clients (because mac authentification is senseless), and i don't want to permit this.
I'm using now 802.1X.

Thanks for the replys