This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

show username in OneView if I do 802.1x with computer certificate

show username in OneView if I do 802.1x with computer certificate

Yves_Haslimann
New Contributor III

ā€Ž08-29-2017 08:26 AM

Hello everybody

have an extreme switch (x430-8p) which has configured port 1 like this:
configure netlogin vlan v0889-netlogin
enable netlogin dot1x mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 1 dot1x
enable netlogin ports 1 mac
configure netlogin ports 1 mode mac-based-vlans
configure netlogin ports 1 no-restart
enable netlogin authentication failure vlan ports 1
enable netlogin authentication service-unavailable vlan ports 1
configure netlogin authentication failure vlan vgast ports 1
configure netlogin authentication service-unavailable vlan vgast ports 1

On the Extreme NAC I have configured a 802.1x Policy:
Authentication: 802.1x (EAP-TLS)
user: LDAP User-group
Location: this switch (x430-8p)
Profile: returns a accept policy with a VLAN Tag.

This works fine so far.

But now, I see in OneView as user name only the computer name (host/xxxxx).
How can I get there the real username (for example. user.xy@domain.com).
Do I have to use Kerberos too?

Thank you,
Br, Yves

0 Kudos
5 REPLIES 5

Yves_Haslimann
New Contributor III

ā€Ž08-29-2017 10:37 AM

Hello Ryan and Piotr,

okay, thanks for your feedback. I see your points.
I will check this.

Thanks, Yves
0 Kudos

Piotr_Szolkowsk
Extreme Employee

ā€Ž08-29-2017 10:24 AM

Kerberos is tricky. If you login to domain NAC can snoop user name but if your user will map a network drive and will choose different username than kerberos will update username in NAC which can lead to policy change. So I am not a fun of kerberos in such scenario.

If you want to do it right you need user certificates. It is not so complicated as you can get user certificates using auto-enrolment in Active Directory so whenever a user will log into Windows Client and Windows will not have user certificate than Windows AD will create and/or download certificate to Windows Client. Then you will have your username.
0 Kudos

Ryan_Yacobucci
Extreme Employee

ā€Ž08-29-2017 10:08 AM

Hello,

NAC can only display the username if it has been provided either by 802.1x authentication, or Kerberos snooping. If the end system is not configured to authenticate with "user and computer" authentication this information will never be provided and NAC won't be able to display it.

Thanks
-Ryan
0 Kudos

Yves_Haslimann
New Contributor III

ā€Ž08-29-2017 09:36 AM

Hi Piotr,

but I have only a computer certificate in the GPO configured.
Is there nevertheless a way to get the username?

I see attached the end-system-details.
the 4th rule is only a kerberos passthrough, which shows the username. But in the summy endsystem-view, I see only the lates rule (1st rule), which shows the computer name instead the user name). Do you know what I mean?

f4463fda3b9545ca9fdfe702d687d45d_RackMultipart20170829-56501-12jitzc-2017-08-29_13-31-44_inline.png


0 Kudos
GTM-P2G8KFN