Solved

"User Name" column is empty in ExtremeControl - Is enabling identity management our only option?

  • 3 July 2019
  • 3 replies
  • 338 views

Userlevel 2
We are using MAC authentication with ExtremeControl and x440-G2 and x460-G2 switches. All columns are populated in the End Systems screen except "User Name". I was told that 802.1x authentication or having users register via a captive portal are two ways to populate that field, but we aren't going to be using either of those. We had previously dabbled with identity management, but had to disable it due to a bug (xos0074493) which is supposedly fixed in XOS 30.2 (not sure we are daring enough to jump to that yet). Is there any way to populate the "User Name" column since we aren't using 802.1x, a captive portal, or enabling identity management at this time? I heard talk of kerberos snooping, but that looks to require identity management.
icon

Best answer by Ryan Yacobucci 7 July 2019, 01:49

Hello,

I don't have any documentation on detailed steps to set it up.

By default eth0 of the Control appliance should have DHCP/Kerberos snooping enabled. The requirement would be that the network mirror all kerberos (port 88) traffic into the NAC's eth0, or you can split out and use eth1 for DHCP/Kerberos snooping as well.

From the perspective of control the Kerberos snooping configuration is already enabled by default.

It depends on how the Control appliance is situated in your network and if it would be possible to mirror a centralized link that has all Kerberos traffic.

Thanks
-Ryan
View original

3 replies

Userlevel 6
Hello,

Kerberos snooping on the Control appliance without identity management. The difference is that Identity Management can capture the Kerberos information at the port and sent it though an XML notification while the Control's kerberos solution requires that all Kerberos traffic be mirrored into the Control's eth port.

Control will snooping kerberos traffic and update end systems accordingly. You can create rules based on Kerberos as well. The requirement is that the traffic must be mirrored to Control.

Thanks
-Ryan
Userlevel 2
Do you have a link to the steps to set that up? What I had seen involved the "enable identity-management" command which is then what can trigger an issue related to bug xos0074493.
Userlevel 6
Hello,

I don't have any documentation on detailed steps to set it up.

By default eth0 of the Control appliance should have DHCP/Kerberos snooping enabled. The requirement would be that the network mirror all kerberos (port 88) traffic into the NAC's eth0, or you can split out and use eth1 for DHCP/Kerberos snooping as well.

From the perspective of control the Kerberos snooping configuration is already enabled by default.

It depends on how the Control appliance is situated in your network and if it would be possible to mirror a centralized link that has all Kerberos traffic.

Thanks
-Ryan

Reply