This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NAC Authenticaton at Domain Controller

NAC Authenticaton at Domain Controller

Daniel_B
New Contributor III

‎08-08-2017 10:48 AM

Hello Community,

we have one Netsight appliance and two NAC-Controller in action. Firmware of all is 8.0.2.42.

After MAC Authentication is working very well, we have activated 802.1x Authentication on the first switch. At first, it works fine. But I have a Question with the Authentication from the NAC-Manager/NAC-Gateway to the Windows Domaincontroller.

We wanted to restrict the Access for the user from the NAC-Manager, which asks the domain for the Clientuser. He should only get Access if he comes from the NAC-Gateway. In this way nobody can block the user account by wrong authentications.

Now we looked at the logfiles from the Domaincontroller. There we see, that the Access Request for the Client is not coming from the NAC-Gateway but from the Domaincontroller itself. So we have to give Access if the NAC-Admin comes from the Domaincontroller.

Can anybody verify this behavior? Can anybody explain this?

Regards, Daniel

0 Kudos
3 REPLIES 3

Ryan_Yacobucci
Extreme Employee

‎08-09-2017 10:21 AM

I'm still not quite sure what you're seeing. Would you be able to attach a screenshot or log to provide details of what you're seeing?

In an LDAP authentication environment all RADIUS traffic will be contained between the authenticating switch and the NAC appliance. NAC will then use DCERPC calls to the domain controller to perform NTLM authentication, not RADIUS.

Thanks
-Ryan
0 Kudos

Daniel_B
New Contributor III

‎08-09-2017 03:49 AM

Hello Ryan,

we have LDAP authentication running.
I have authentication data expected from the nac to the domain controller, but I see the nac request with the domain controller as the source system.

Regards Daniel

0 Kudos

Ryan_Yacobucci
Extreme Employee

‎08-08-2017 11:09 AM

Hello Daniel,

I'm not quite sure what you are asking.

From an authentication perspective there are 2 different ways this could be happening.

Either you have LDAP authentication setup where RADIUS will be terminated at the NAC, or you have proxy RADIUS where NAC will relay the RADIUS traffic to the NPS service on Microsoft server.

The RADIUS request should always flow TO the NPS server and not from.

Thanks
-Ryan
0 Kudos
GTM-P2G8KFN