X460-G2 & Policy Manager: End User Sessions Username missing

  • 0
  • 1
  • Problem
  • Updated 11 months ago
  • Solved
Hi Guys,

I'm playing with EXOS 16.1, X460-G2 and Policy Manager / NAC ( NetSight 6.3) in my LAB and I found something odd.

When a user authenticates to any port of the X460-G2, in the Policy Manager Network Elements Tab -> Port Usage -> End User Sessions the Username shows as N/A (as Session ID).

In the old RED gear, it shows as expected but not on the new gear.

Looking at the X460-G2 console's, using a "show netlogin" the username is there...

When I added the switch to NAC Manager, it shows up the username with no problems.

I have customers with large B5's installed base, and some will now start using X450-G2/X460-G2, and many have no NAC, and use PM to find the username authenticated at ports.

Any ideas? Something still missing in this version?

Best regards,

-Leo
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,262 Points 2k badge 2x thumb
  • confident

Posted 3 years ago

  • 0
  • 1
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,262 Points 2k badge 2x thumb
Hello guys,

It's about 10 months and no answer... Any info?

Now I'm deploying a PoC with X460G2 on a customer large B5 installed base (XOS 21 and ECC 7) and the Username still not showing up...

Best regards,

_Leo
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,262 Points 2k badge 2x thumb
Hi guys,

Any news?

Best regards,

-Leo
Photo of Ryan Mathews

Ryan Mathews, Alum

  • 8,988 Points 5k badge 2x thumb
Wow...sorry this one has fallen through the cracks Leo.

We'll make sure we get you a response here.
Photo of Stephen Williams

Stephen Williams, Employee

  • 8,838 Points 5k badge 2x thumb
Leo,

I think you need to enable identity management(IDM)  with Kerberos snooping on the switch in order to get any username information without NAC.  I believe Netsight only looks at IDM data and not netlogin data.


Here is a KCS article on how to setup IDM with Netsight and NAC.  It should give you the configurations to use for a non NAC deployment. 

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configured-Identity-Management-for-...

User guide link as well:
http://documentation.extremenetworks.com/exos/EXOS_21_1/Identity_Management/c_configuring-identity-m...

Let me know if you get it working.

Stephen
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,262 Points 2k badge 2x thumb
Hi Stephen,

I've tried following the guide but it still not working (on "OneView" or PM).

Any ideas?

Best regards,

-Leo
Photo of Stephen Williams

Stephen Williams, Employee

  • 8,838 Points 5k badge 2x thumb
Leonardo,

Thanks for being very patient.  I have created a new article just for your situation.  Go through it and let me know if it worked for you.


https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-use-EXOS-and-IDM-to-see-end-systems...

Stephen
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,782 Points 10k badge 2x thumb
Hi Stephen,

I think there is a typo regarding the SSH module in the article. You wrote:
EXOS 16.2 and 21.1 and older have SSH already installed.
Should it not be EXOS 16.2 and 21.1 and newer have SSH already installed?

Thanks,
Erik
Photo of Stephen Williams

Stephen Williams, Employee

  • 8,838 Points 5k badge 2x thumb
Thanks, good catch!  It's fixed now. 
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,262 Points 2k badge 2x thumb
Hi Stephen,

Thanks for the guide...

I've double checked the config I've created with your guide and looks the same, but I'm still missing something...

The "show xml-notification statistics" is showing a "Connection Status: fail"...

The configured user for xml-notifications can access the Oneview interface.

Something that can be relevant: the customer's Netsight install don't have a valid certificate (Netsight auto generated cert) configured to accept all certs (server and client).

Any ideias?

Best regards
Photo of Stephen Williams

Stephen Williams, Employee

  • 8,838 Points 5k badge 2x thumb
You can try going to the XML url in your PC browser and see if you can login with that user.

https://x.x.x.x:8443/axis/services/event


You will see a page like this:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<soapenv:Reason><soapenv:Text xml:lang="en-US">The endpoint reference (EPR) for the Operation not found is /axis/services/event and the WSA Action = null</soapenv:Text></soapenv:Reason>
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,262 Points 2k badge 2x thumb
I've already tried this tip, and was able to login, but got a "500 Internal Server Error" on Internet Explorer. 

(I couldn't try with another browser, because of the customer's security policy).

Enabling the Verbose logging for OneView Web Applications, I can see a lot of logs, all coming from the Wireless Controllers, but nothing from the switch.

Maybe we have some Netsight server problem?

Best regards,

-Leo

 
Photo of Stephen Williams

Stephen Williams, Employee

  • 8,838 Points 5k badge 2x thumb
I got the same thing when using IE.  If the password was wrong you would get a 401 message.

Did you make sure you selected the correct VR when setting up the XML notifications?
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,262 Points 2k badge 2x thumb
Hi Stephen,

I got back to this issue now, because our long-term EOS customer started to refresh the old gear for X440-G2.

The same issue arises as happened in my lab... The xml-notification can't connect to the EMC (using the guide posted at the gtacknowledge)... The customer is running EMC 7.1.2.12 and EXOS 21.1.1.4-patch1-5.

X440-G2-RH-01.8 # sh xml-notification configuration
Target Name          : netsight-target_172.18.1.50
Server URL           : https://172.18.1.50:8443/axis/services/event (VR-Default)
Server User Name     : xmlnotification
Enabled              : yes
Queue Size           : 100
Connection Status    : fail
Source IP Address    : 172.18.3.253
Configured Modules   : idMgr
X440-G2-RH-01.9 # sh xml-notification statistics
Target Name             : netsight-target_172.18.1.50
Server URL              : https://172.18.1.50:8443/axis/services/event
Server Queue Size       : 100
Enabled                 : yes
Connection Status       : fail
Events Received         : 5
Connection Failures     : 3
Events Sent Success     : 0
Events Sent Failed      : 5
Events Dropped          : 0
X440-G2-RH-01.14 # sh ssl
HTTPS Port Number: 443 (Enabled)
Signature Algorithm configured: sha512 With RSA Encryption
Private Key matches the Certificate's public key.
RSA Private Key: 2048
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=US, O=Extreme Networks, CN=mX440-G2-RH-01
        Validity
            Not Before: Jul 10 12:59:02 2017 GMT
            Not After : Jul 10 12:59:02 2018 GMT
        Subject: C=US, O=Extreme Networks, CN=mX440-G2-RH-01
Manufacturing certificate: Present


In my lab I found the same issue: With the SAME config, on EXOS 21 it can't connect to EMC, but booting to the EXOS 22 it works fine.

The community and gtacknowledge posts said it works since EXOS 15, and I can't upgrade to EXOS 22 until the next customer maintenance window. 

Any ideas?

Regards,

-Leo