Kerberos Snooping with 802.1X

  • 2
  • Idea
  • Updated 11 months ago
Hi,

Kerberos Snooping allows getting Username Information if a client is authenticated via MAC. But if the client is authenticated via 802.1X through its computer account, the Kerberos Information is ignored. This is reasonable as both (Kerberos and .1X) use the username column and the 802.1X authentication is more confiding. As a result it is not possible to get the information which user is logged into the client.

It is possible to do a user based 802.1X authentication but when it comes to EAP-TLS it is much more overhead to deal with user certificates then with computer certificates. Another point against user authentication is if PEAP is used. In this case the user could use any client in which he enters his credentials.

A solution for this could be a new column in the NAC Manager e.g. "Kerberos Username" which is filled through the kerberos handler. Especially as the purple Extreme switches can do the Kerberos Snooping in the switch, this feature would be very interesting in the near 

I hope this feature will be included soon. What do you think about?

Best Regards
Michael

Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb

Posted 4 years ago

  • 2
Photo of M.Nees

M.Nees, Embassador

  • 9,156 Points 5k badge 2x thumb
Is this feature available ???
Photo of M.Nees

M.Nees, Embassador

  • 9,156 Points 5k badge 2x thumb
After discussion with my co-workers - we believe this feature is available (Netsight V7.x) if you mirror login traffic to NAC appliance (DHCP/kerberos snooping is active by default).
End-System Cache should distribute this information to Netsight aka NAC Manager Client ...
(Edited)