Kerberos Snooping with 802.1X

Michael_Kirchne — Wed, 07 May 2014 20:23:00 GMT

Hi, Kerberos Snooping allows getting Username Information if a client is authenticated via MAC. But if the client is authenticated via 802.1X through its computer account, the Kerberos Information is ignored. This is reasonable as both (Kerberos and .1X) use the username column and the 802.1X authentication is more confiding. As a result it is not possible to get the information which user is logged into the client.

It is possible to do a user based 802.1X authentication but when it comes to EAP-TLS it is much more overhead to deal with user certificates then with computer certificates. Another point against user authentication is if PEAP is used. In this case the user could use any client in which he enters his credentials.

A solution for this could be a new column in the NAC Manager e.g. "Kerberos Username" which is filled through the kerberos handler. Especially as the purple Extreme switches can do the Kerberos Snooping in the switch, this feature would be very interesting in the near

I hope this feature will be included soon. What do you think about?

Best Regards
Michael

RE: Kerberos Snooping with 802.1X

M_Nees — Fri, 28 Jul 2017 18:13:00 GMT

Is this feature available ???

RE: Kerberos Snooping with 802.1X

M_Nees — Fri, 28 Jul 2017 18:13:00 GMT

After discussion with my co-workers - we believe this feature is available (Netsight V7.x) if you mirror login traffic to NAC appliance (DHCP/kerberos snooping is active by default).
End-System Cache should distribute this information to Netsight aka NAC Manager Client ...

topic RE: Kerberos Snooping with 802.1X in Analytics & Visibility

Kerberos Snooping with 802.1X

RE: Kerberos Snooping with 802.1X

RE: Kerberos Snooping with 802.1X