show username in OneView if I do 802.1x with computer certificate

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hello everybody

have an extreme switch (x430-8p) which has configured port 1 like this:
configure netlogin vlan v0889-netlogin
enable netlogin dot1x mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 1 dot1x
enable netlogin ports 1 mac
configure netlogin ports 1 mode mac-based-vlans
configure netlogin ports 1 no-restart
enable netlogin authentication failure vlan ports 1
enable netlogin authentication service-unavailable vlan ports 1
configure netlogin authentication failure vlan vgast ports 1
configure netlogin authentication service-unavailable vlan vgast ports 1

On the Extreme NAC I have configured a 802.1x Policy:
Authentication: 802.1x (EAP-TLS)
user: LDAP User-group
Location: this switch (x430-8p)
Profile: returns a accept policy with a VLAN Tag.

This works fine so far.

But now, I see in OneView as user name only the computer name (host/xxxxx).
How can I get there the real username (for example. user.xy@domain.com).
Do I have to use Kerberos too?

Thank you,
Br, Yves
Photo of Yves Haslimann

Yves Haslimann

  • 898 Points 500 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Piotr Szolkowski

Piotr Szolkowski, Employee

  • 90 Points 75 badge 2x thumb
No you do not have to use Kerberos. 

Most probably you did not enable Computer and User authentication on your windows IEEE 802.1x client so you only authenticate Computer. You also need User certificates to allow user authentication.
Photo of Yves Haslimann

Yves Haslimann

  • 898 Points 500 badge 2x thumb
Hi Piotr,

but I have only a computer certificate in the GPO configured.
Is there nevertheless a way to get the username?

I see attached the end-system-details.
the 4th rule is only a kerberos passthrough, which shows the username. But in the summy endsystem-view, I see only the lates rule (1st rule), which shows the computer name instead the user name). Do you know what I mean?
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,322 Points 5k badge 2x thumb
Hello,

NAC can only display the username if  it has been provided either by 802.1x authentication, or Kerberos snooping. If the end system is not configured to authenticate with "user and computer" authentication this information will never be provided and NAC won't be able to display it.

Thanks
-Ryan
Photo of Piotr Szolkowski

Piotr Szolkowski, Employee

  • 90 Points 75 badge 2x thumb
Kerberos is tricky. If you login to domain NAC can snoop user name but if your user will map a network drive and will choose different username than kerberos will update username in NAC which can lead to policy change. So I am not a fun of kerberos in such scenario.

If you want to do it right you need user certificates. It is not so complicated as you can get user certificates using auto-enrolment in Active Directory so whenever a user will log into Windows Client and Windows will not have user certificate than Windows AD will create and/or download certificate to Windows Client. Then you will have your username.
Photo of Yves Haslimann

Yves Haslimann

  • 898 Points 500 badge 2x thumb
Hello Ryan and Piotr,

okay, thanks for your feedback. I see your points.
I will check this.

Thanks, Yves