Kerberos Snooping allows getting Username
Information if a client is authenticated via MAC. But if the client is
authenticated via 802.1X through its computer account, the Kerberos Information
is ignored. This is reasonable as both (Kerberos and .1X) use the username
column and the 802.1X authentication is more confiding. As a result it is not possible
to get the information which user is logged into the client.
It is possible to do a user based 802.1X authentication but when it comes to EAP-TLS it is much more overhead to deal with user certificates then with computer certificates. Another point against user authentication is if PEAP is used. In this case the user could use any client in which he enters his credentials.
A solution for this could be a new column in the NAC Manager e.g. "Kerberos Username" which is filled through the kerberos handler. Especially as the purple Extreme switches can do the Kerberos Snooping in the switch, this feature would be very interesting in the near
I hope this feature will be included soon. What do you think about?