This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Local Administrator account and Extreme NAC

Local Administrator account and Extreme NAC

ExtremeNewbie
New Contributor II

Tuesday

Hello Community,

 

Apologies if this question is in the wrong section.

We are using XMC- SE and NAC control in our environment.  We are currently testing User and Machine Authentication via Certificates.  The User and Machine are domain joined and can authenticate as expected.

However, I am finding I cannot authenticate an end user device when I login with a local administrator account.  This makes sense as the settings are setup to use domain joined authentication.

My question is, can local administrator accounts on end user devices somehow be authenticated to give network access?  When I login with the local administrator account, the network drops off after a short time.  In XMC I can see for the local administrator account the message "Rejected NTLM Authentication".

Many thanks,

0 Kudos
8 REPLIES 8

ExtremeNewbie
New Contributor II

Tuesday

Hello All,

I have added in the credentials as stated in the comments above.  This is coming back with Rejected NTLM Authentication.

With User/Machine Authentication the end device is allocated a subnet due to it's location.  If no Rules are met as in this case - local administrator account, there is a fall back subnet the end device is allocated.

Is a new rule needed for this?  Ideally, I would the end device to keep the subnet IP like when this is logged in as a domain user.

The message I have are:

Username: Local Admin, Auth Type: 802.1X, Reason: Rejected NTLM Authentication

Then the session is no longer active due to: Lost Carrier.

Many thanks,

0 Kudos

ExtremeNewbie
New Contributor II

Tuesday

@RyanS @Bartek  - thanks both.  I did see the document for adding the account to the local password repository.  However, the document was dated 2019 and involved setting son the NAC side too.  Is there a more up to date document per chance?

Many thanks,

 

0 Kudos

Bartek
Contributor

Tuesday

You can configure specific NAC AAA rule for handling authentication for those local accounts (perhaps you need to change AAA from Basic to Advanced configuration first)

Ryan_Yacobucci
Extreme Employee

Tuesday

Hello,

You can set up a username/password in the local password repository that can be used with local admin accounts. The "LDAP Authentication" or "Local Authentication" authentication method in your AAA should both also check the local password repository during the authentication. I don't believe you'll need any additional rules, just add the credentials into the local password repository which can be found in the AAA configurations.

Thanks

-Ryan

GTM-P2G8KFN