Kerberos Information Not Showing In NAC
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-22-2019 02:21 PM
Hi,
Have this working on another site, but trying to replicate it I cannot seem to get it working or find any step I'm missing?
The switch firmware is 22.4.1.4-patch1-2
XMC / Control is 8.2.4.55
The configuration on the switch is as follows:
When you look at XML notification it looks fine:
Idmgr also looks fine. I've replaced sensitive information with x's:
When I look up any of these end-system in XMC I should see the authentication as 'Kerberos' and the 'User Name' filled in with the username show in idmgr.
Currently I have MAC auth enabled on the ports only.
XMC Connect Extreme Control Module has the kerberos function enabled. When I enable debug mode I believe the below is showing me the process is working, but no mention of the devices and type of authentication:
I'm seeing all the end-system information like IP, Hostname, Device type & family, but not the user name.
Just wondering if anyone has any ideas.
Thanks in advance
Have this working on another site, but trying to replicate it I cannot seem to get it working or find any step I'm missing?
The switch firmware is 22.4.1.4-patch1-2
XMC / Control is 8.2.4.55
The configuration on the switch is as follows:
code:
create xml-notification target nac-target_10.1.0.85 url https://10.1.0.85:8443/axis/services/event vr VR-Default
configure xml-notification target nac-target_10.1.0.85 user admin
Extreme@pp
configure xml-notification target nac-target_10.1.0.85 from 10.1.10.38
configure xml-notification target nac-target_10.1.0.85 add idMgr
enable xml-notification "nac-target_10.1.0.85"
enable ip-security dhcp-snooping vlan Staff ports all violation-action none
enable ip-security dhcp-snooping vlan Students ports all violation-action none
configure trusted-ports 51 trust-for dhcp-server
configure identity-management kerberos snooping add server 10.1.10.71
configure identity-management kerberos snooping add server 10.1.10.72
configure identity-management kerberos snooping add server 10.1.10.70
configure identity-management kerberos snooping add server 10.1.0.74
configure identity-management kerberos snooping add server 10.1.0.75
configure identity-management kerberos snooping add server 10.1.0.73
When you look at XML notification it looks fine:
code:
# show xml-notification statistics
Target Name : nac-target_10.1.0.85
Server URL : https://10.1.0.85:8443/axis/services/event
Server Queue Size : 100
Enabled : yes
Connection Status : connected
Events Received : 16
Connection Failures : 0
Events Sent Success : 16
Events Sent Failed : 0
Events Dropped : 0
Idmgr also looks fine. I've replaced sensitive information with x's:
code:
# show identity-management entries
ID Name/ Flags Port MAC/ VLAN Role
Domain Name IP
--------------------------------------------------------------------------------
xxxxxxxx --k- 43 a4:4c:c8:a9:56:be business(1) authenticated
BUSINESS.xxxx.AC.UK 10.1.24.171(1)
xxxxxxxx --k- 13 a4:4c:c8:dd:fa:6c business(1) authenticated
BUSINESS.xxxx.AC.UK 10.1.24.82(1)
xxxxxxxx --k- 33 48:ba:4e:61:a4:23 business(1) authenticated
BUSINESS.xxxx.AC.UK 10.1.27.80(1)
xxxxxxxx --k- 21 18:66:da:2b:92:cc academic(1) authenticated
BUSINESS.xxxx.AC.UK 10.0.25.151(1)
xxxxxxxx --k- 5 18:db:f2:44:b4:4e business(1) authenticated
BUSINESS.xxxx.AC.UK 10.1.24.170(1)
When I look up any of these end-system in XMC I should see the authentication as 'Kerberos' and the 'User Name' filled in with the username show in idmgr.
Currently I have MAC auth enabled on the ports only.
XMC Connect Extreme Control Module has the kerberos function enabled. When I enable debug mode I believe the below is showing me the process is working, but no mention of the devices and type of authentication:
code:
2019-05-22 10:23:30,295 DEBUG [com.enterasys.fusion.modules.NetSightHandler] ES Group Storage: Retrieved data for endsystem group [Web Authenticated Users]: com.enterasys.fusion.common.EndSystemGroup@2cc952ee[approvalRequired=false,description=End-Systems that have authenticated through the NAC web interface and been granted permission to access the network,lastUpdate=May 22, 2019 10:23:30 AM,name=Web Authenticated
I'm seeing all the end-system information like IP, Hostname, Device type & family, but not the user name.
Just wondering if anyone has any ideas.
Thanks in advance
3 REPLIES 3
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-27-2019 08:51 PM
Thanks for replying Z, sounds logical 
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-24-2019 06:20 AM
Hi Martin.
can be related to reauthentication? Some properties are updated only in end-system history and not in the end-system table. Not sure if it is the case with username.
Z.
can be related to reauthentication? Some properties are updated only in end-system history and not in the end-system table. Not sure if it is the case with username.
Z.
Regards
Zdeněk Pala
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-22-2019 03:39 PM
Well perhaps it was just because I wasn't patient enough, but had to leave it at least an hour (I believe) and it started working!
There is probably a very logical explanation for that, but least I know the configuration works 
There is probably a very logical explanation for that, but least I know the configuration works 
