This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Local Administrator account and Extreme NAC

Local Administrator account and Extreme NAC

ExtremeNewbie
New Contributor II

Tuesday

Hello Community,

 

Apologies if this question is in the wrong section.

We are using XMC- SE and NAC control in our environment.  We are currently testing User and Machine Authentication via Certificates.  The User and Machine are domain joined and can authenticate as expected.

However, I am finding I cannot authenticate an end user device when I login with a local administrator account.  This makes sense as the settings are setup to use domain joined authentication.

My question is, can local administrator accounts on end user devices somehow be authenticated to give network access?  When I login with the local administrator account, the network drops off after a short time.  In XMC I can see for the local administrator account the message "Rejected NTLM Authentication".

Many thanks,

0 Kudos
8 REPLIES 8

Ryan_Yacobucci
Extreme Employee

Wednesday

Hello,

I was incorrect in my first response. 

In addition to the Local Password Repository account you'll need to create an AAA account to look to the local password repository. 

For example: 

Ryan_Yacobucci_0-1758123473985.png


The AAA line should be set to look for "Authentication Type" of "Management Login" with a pattern defined as the local user that is attempting to authenticate.

 

Authentication Method should be set to Local Authentication. 

Make sure the placement of this new AAA rule will be used. The AAA runs like an ACL, first match wins, so if you put this rule at the bottom and a rule in the AAA higher up is a match, this new rule will not be used.

Once this is in place, you should be able to get authentication to succeed.

Thanks

-Ryan

 

0 Kudos

ExtremeNewbie
New Contributor II
In response to Ryan_Yacobucci

Thursday

@Ryan_Yacobucci  - thanks for the reply.  Is the AAA account added in in the option below?

ExtremeNewbie_0-1758191738564.png

I also have AAA Rules under configuration please see below.

ExtremeNewbie_1-1758191815331.png

Which option is the best place for this?  I also have other AAA Rules and like you have said need to ensure this is placed correctly.

Many thanks,

0 Kudos

ExtremeNewbie
New Contributor II
In response to ExtremeNewbie

Thursday

Hello All,

I have created the AAA Rule as suggested please see below.  This does not match the rule and goes straight to CatchAll when trying to login as the local administrator account.  I have tried with and without the Password Authentication option as in the screenshot below.

 

To confirm, the local administrator account has been added to the Local Password Repository under the Default option and the rule has been created as below.

 

ExtremeNewbie_0-1758206256477.png

Any other suggestions?

Thanks,

0 Kudos

Ryan_Yacobucci
Extreme Employee
In response to ExtremeNewbie

yesterday

Hello, 

You need an AAA rule to handle the authentication, and you need a rules engine rule to handle the authorization. 

See this article for an example: 
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000081977

Thanks
-Ryan

0 Kudos
GTM-P2G8KFN