show username in OneView if I do 802.1x with computer certificate

Userlevel 1
Hello everybody

have an extreme switch (x430-8p) which has configured port 1 like this:
configure netlogin vlan v0889-netlogin
enable netlogin dot1x mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 1 dot1x
enable netlogin ports 1 mac
configure netlogin ports 1 mode mac-based-vlans
configure netlogin ports 1 no-restart
enable netlogin authentication failure vlan ports 1
enable netlogin authentication service-unavailable vlan ports 1
configure netlogin authentication failure vlan vgast ports 1
configure netlogin authentication service-unavailable vlan vgast ports 1

On the Extreme NAC I have configured a 802.1x Policy:
Authentication: 802.1x (EAP-TLS)
user: LDAP User-group
Location: this switch (x430-8p)
Profile: returns a accept policy with a VLAN Tag.

This works fine so far.

But now, I see in OneView as user name only the computer name (host/xxxxx).
How can I get there the real username (for example.
Do I have to use Kerberos too?

Thank you,
Br, Yves

5 replies

No you do not have to use Kerberos.

Most probably you did not enable Computer and User authentication on your windows IEEE 802.1x client so you only authenticate Computer. You also need User certificates to allow user authentication.
Userlevel 1
Hi Piotr,

but I have only a computer certificate in the GPO configured.
Is there nevertheless a way to get the username?

I see attached the end-system-details.
the 4th rule is only a kerberos passthrough, which shows the username. But in the summy endsystem-view, I see only the lates rule (1st rule), which shows the computer name instead the user name). Do you know what I mean?

Userlevel 6

NAC can only display the username if it has been provided either by 802.1x authentication, or Kerberos snooping. If the end system is not configured to authenticate with "user and computer" authentication this information will never be provided and NAC won't be able to display it.

Kerberos is tricky. If you login to domain NAC can snoop user name but if your user will map a network drive and will choose different username than kerberos will update username in NAC which can lead to policy change. So I am not a fun of kerberos in such scenario.

If you want to do it right you need user certificates. It is not so complicated as you can get user certificates using auto-enrolment in Active Directory so whenever a user will log into Windows Client and Windows will not have user certificate than Windows AD will create and/or download certificate to Windows Client. Then you will have your username.
Userlevel 1
Hello Ryan and Piotr,

okay, thanks for your feedback. I see your points.
I will check this.

Thanks, Yves