Question

Kerberos Information Not Showing In NAC

  • 22 May 2019
  • 3 replies
  • 273 views

Userlevel 5
Hi,

Have this working on another site, but trying to replicate it I cannot seem to get it working or find any step I'm missing?

The switch firmware is 22.4.1.4-patch1-2
XMC / Control is 8.2.4.55

The configuration on the switch is as follows:

code:
create xml-notification target nac-target_10.1.0.85 url https://10.1.0.85:8443/axis/services/event vr VR-Default
configure xml-notification target nac-target_10.1.0.85 user admin

Extreme@pp

configure xml-notification target nac-target_10.1.0.85 from 10.1.10.38
configure xml-notification target nac-target_10.1.0.85 add idMgr
enable xml-notification "nac-target_10.1.0.85"

enable ip-security dhcp-snooping vlan Staff ports all violation-action none
enable ip-security dhcp-snooping vlan Students ports all violation-action none

configure trusted-ports 51 trust-for dhcp-server

configure identity-management kerberos snooping add server 10.1.10.71
configure identity-management kerberos snooping add server 10.1.10.72
configure identity-management kerberos snooping add server 10.1.10.70
configure identity-management kerberos snooping add server 10.1.0.74
configure identity-management kerberos snooping add server 10.1.0.75
configure identity-management kerberos snooping add server 10.1.0.73


When you look at XML notification it looks fine:

code:
# show xml-notification statistics 

Target Name : nac-target_10.1.0.85
Server URL : https://10.1.0.85:8443/axis/services/event
Server Queue Size : 100
Enabled : yes
Connection Status : connected
Events Received : 16
Connection Failures : 0
Events Sent Success : 16
Events Sent Failed : 0
Events Dropped : 0


Idmgr also looks fine. I've replaced sensitive information with x's:

code:
# show identity-management entries 
ID Name/ Flags Port MAC/ VLAN Role
Domain Name IP
--------------------------------------------------------------------------------
xxxxxxxx --k- 43 a4:4c:c8:a9:56:be business(1) authenticated
BUSINESS.xxxx.AC.UK 10.1.24.171(1)
xxxxxxxx --k- 13 a4:4c:c8:dd:fa:6c business(1) authenticated
BUSINESS.xxxx.AC.UK 10.1.24.82(1)
xxxxxxxx --k- 33 48:ba:4e:61:a4:23 business(1) authenticated
BUSINESS.xxxx.AC.UK 10.1.27.80(1)
xxxxxxxx --k- 21 18:66:da:2b:92:cc academic(1) authenticated
BUSINESS.xxxx.AC.UK 10.0.25.151(1)
xxxxxxxx --k- 5 18:db:f2:44:b4:4e business(1) authenticated
BUSINESS.xxxx.AC.UK 10.1.24.170(1)



When I look up any of these end-system in XMC I should see the authentication as 'Kerberos' and the 'User Name' filled in with the username show in idmgr.

Currently I have MAC auth enabled on the ports only.

XMC Connect Extreme Control Module has the kerberos function enabled. When I enable debug mode I believe the below is showing me the process is working, but no mention of the devices and type of authentication:

code:
2019-05-22 10:23:30,295 DEBUG [com.enterasys.fusion.modules.NetSightHandler] ES Group Storage: Retrieved data for endsystem group [Web Authenticated Users]: com.enterasys.fusion.common.EndSystemGroup@2cc952ee[approvalRequired=false,description=End-Systems that have authenticated through the NAC web interface and been granted permission to access the network,lastUpdate=May 22, 2019 10:23:30 AM,name=Web Authenticated 


I'm seeing all the end-system information like IP, Hostname, Device type & family, but not the user name.

Just wondering if anyone has any ideas.

Thanks in advance

3 replies

Userlevel 5
Well perhaps it was just because I wasn't patient enough, but had to leave it at least an hour (I believe) and it started working!

There is probably a very logical explanation for that, but least I know the configuration works 🙂
Userlevel 7
Hi Martin.

can be related to reauthentication? Some properties are updated only in end-system history and not in the end-system table. Not sure if it is the case with username.

Z.
Userlevel 5
Thanks for replying Z, sounds logical 🙂

Reply