This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Local Administrator account and Extreme NAC

Local Administrator account and Extreme NAC

ExtremeNewbie
New Contributor II

Tuesday

Hello Community,

 

Apologies if this question is in the wrong section.

We are using XMC- SE and NAC control in our environment.  We are currently testing User and Machine Authentication via Certificates.  The User and Machine are domain joined and can authenticate as expected.

However, I am finding I cannot authenticate an end user device when I login with a local administrator account.  This makes sense as the settings are setup to use domain joined authentication.

My question is, can local administrator accounts on end user devices somehow be authenticated to give network access?  When I login with the local administrator account, the network drops off after a short time.  In XMC I can see for the local administrator account the message "Rejected NTLM Authentication".

Many thanks,

0 Kudos
12 REPLIES 12

Ryan_Yacobucci
Extreme Employee
In response to ExtremeNewbie

Saturday

Hello, 

You need an AAA rule to handle the authentication, and you need a rules engine rule to handle the authorization. 

See this article for an example: 
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000081977

Thanks
-Ryan

0 Kudos

ExtremeNewbie
New Contributor II
In response to Ryan_Yacobucci

7 hours ago

@Ryan_Yacobucci - Thanks for the reply.  I have gone though the document.  One item to note is that the local administrator account is not a domain account.  The link in your reply above refers to a domain administrator account.  I set this up as  Local Authentication - see screenshot below. 

ExtremeNewbie_0-1758549386860.png

ExtremeNewbie_1-1758549424479.png

As such, I don't believe NTLM Authentication will work as LDAP Authentication Type needs to be local as in the screenshot above.  If I have misread this I apologise.  To re-iterate, the account needed is a Local Administrator account (end user device) and this is not a domain account.

Many Thanks,

 

0 Kudos

Ryan_Yacobucci
Extreme Employee
In response to ExtremeNewbie

6 hours ago

You are correct, since there is no LDAP integration you cannot utilize an LDAP criteria in order to match a rule to provide mgmt RADIUS attributes. 

Instead, you would need to define a "username" user group with the users you want to allow access.

There are two main concepts that need to be considered here:
1. The authentication from the switch needs to be processed. 
This is the AAA with local password authentication. 

This will only perform the "Accept" or "Reject" based on user password. To gain access to switches, you need to provide a RADIUS attribute to provide an authorization level, which leads us to #2.

2. The Control appliance needs to send a RADIUS attribute to allow management access, and at which level the user is authorized. (Read only versus Read/Write)

This is the purpose of the rule in Control rules engine. There needs to be a rule that matches on management authentication to provide the appropriate RADIUS attribute (Server-Type=6 usually) to gain read/write management access. 

While you do not have the ability to do an LDAP look, you need a rule to provide the "Service-Type=6" attribute for management access.

In turn, you also need a rule to Reject users that are NOT allowed. With switch engine/EXOS an "Accept" is enough to get ready-only access, so a reject needs to be returned to prevent anyone hitting the "catch-all" rule and getting an "accept".


Thanks
-Ryan

0 Kudos

ExtremeNewbie
New Contributor II
In response to Ryan_Yacobucci

6 hours ago

@Ryan_Yacobucci - thanks for the reply.  Is there documentation showing how to put this in place?

Many thanks,

 

0 Kudos

ExtremeNewbie
New Contributor II

Tuesday

Hello All,

I have added in the credentials as stated in the comments above.  This is coming back with Rejected NTLM Authentication.

With User/Machine Authentication the end device is allocated a subnet due to it's location.  If no Rules are met as in this case - local administrator account, there is a fall back subnet the end device is allocated.

Is a new rule needed for this?  Ideally, I would the end device to keep the subnet IP like when this is logged in as a domain user.

The message I have are:

Username: Local Admin, Auth Type: 802.1X, Reason: Rejected NTLM Authentication

Then the session is no longer active due to: Lost Carrier.

Many thanks,

0 Kudos
GTM-P2G8KFN