cancel
Showing results for 
Search instead for 
Did you mean: 

Kerberos Snooping

Kerberos Snooping

Ronny_Engelhard
New Contributor II
Hi together,

i want to use Kerberos Snooping for the authentification of my clients against nac appliance.
The Access Switch is an Enterasys B5 Switch.
Is it possible with that switch or do i need a switch which supports Kerberos snooping?
I have tried Kerberos Snooping but it doesnt work with my Enterasys B5.

Greetings Ronny

3 REPLIES 3

Ronny_Engelhard
New Contributor II
Hi,
you're right i forgot that i have to do mac authentification before the client can authentificate to the AD. So in my mind was the idea of a client, where nothing is to configure like 802.1x.
But when i do mac authentification, i have to permit traffic to the domain controller for any unknown clients (because mac authentification is senseless), and i don't want to permit this.
I'm using now 802.1X.

Thanks for the replys

Michael_Kirchne
Contributor
Hi Ronny,

maybe it is worth to do one step back. Why do you want to do Kerberos Snooping for authentication? IEEE 802.1X is much more reliable. Kerberos Snooping makes much sense if you do just MAC Authentication but you also want to know which user is logged in. Then you could do MAC Auth on the B5 an mirror the Kerberos Traffic (e.g. from S-Series) to a sniffing Port of the NAC Appliance.

Please explain us your aims so maybe together we find the best solution for you.

Regards
Michael

Mike_Thomas
Extreme Employee
Ronny, the B5 typically is deployed with dot1x and or mac-authentication using radius between switch and NAC.
The XOS based switches can support Kerberos snooping as authentication mechanism with the NAC in 6.2.
Also other devices supporting Kerberos snooping are supported as well with the NAC, typically for host-name resolution, but also can promote access rights.
GTM-P2G8KFN