cancel
Showing results for 
Search instead for 
Did you mean: 

AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

AD Usernames have gone from Control>End-Systems after turning on Netlogin MAC&dot1x authentication

Ilya_Semenov
Contributor
Hello, everybody,

I've experienced the following issue:

1) I've configured identity-management on all switches - it allowed me to get hostnames and usernames of my Windows machines per port
2) I've found out how to send these data to Netsight>Control>Endpoint - great!
3) But I wanted even more - to get Device Family&Device Type data - and I did - now I see whether my clients are Androids, Windows or MAC OSx.

The problem is I don't get data in User Name column in End-Systems anymore. What had happened?

There were no configuration changes in identity-management!

I've noticed also that for some Apple clients I get the following error (below). I am not sure they can connect to network now( Could I fix it somehow?

c2b497a9664845eb896340fc74eaae69_RackMultipart20180119-79909-182xw6r-333_inline.jpg


Many thanks in advance,
Ilya
15 REPLIES 15

Ryan_Yacobucci
Extreme Employee
Hello,

i see that you've been able to get it to work. I just wanted to add that in the first screenshot it looks like there is a mis-configuration with the AAA configuration that is not allowing 802.1x and that the MAC authenticated session is in a disconnected state.

I do not believe the NAC will perform an end system update if the end system that is being updated does not have an active session. if somehow the active session in NAC had become disconnected and NAC received username information I don't think we'll populate it due to no active session being found to update.

Thanks
-Ryan

If you are archiving the backups of the switch configs I'd look there for changes, do a compare with the recent backup with one when you were getting the records.

Hi, Ryan,

actually I've got just very local success. From about 80 summits I get 10-20 rows only where AD username was recorded. I can't identify a pattern why happens so. All summits configurations are 98% identical. Almost all ports have Windows PC connected - so THERE IS kerberos traffic. There are should be thousands records because of 12000 + Windows workstations! It worked two weeks ago (but without OS Type and Version) and I suppose that the customer's admin had done something on the X670 core. As usual, he couldn't recall anything( What could it be? ACLs?

Please, share any ideas you have...

Many thanks in advance,

Ilya

This is what I have now:

edfab02b543047fe9a0a38f11b3afb2a_RackMultipart20180124-72324-1m26yhz-777_inline.jpg

Ilya_Semenov
Contributor
Hi, Brian,

E28-4.3.1.36 # sh identity-management entries
ID Name/ Flags Port MAC/ VLAN Role
Domain Name IP
--------------------------------------------------------------------------------
0004A32C2139 -m-- 4 00:04:a3:2c:21:39 Vlan16(1) authenticated
-- NA --
001E8C18C045 -m-- 16 00:1e:8c:18:c0:45 Vlan77(1) authenticated
-- NA --
14DAE9B5215D -m-- 7 14:da:e9:b5:21:5d Vlan16(1) authenticated
-- NA --
A0B3CC49A2FB -m-- 1 a0:b3:cc:49:a2:fb Vlan76(1) authenticated
-- NA --
C0A0BB6613BF -m-- 23 c0:a0:bb:66:13:bf Default(4) authenticated
-- NA --
D884668C1C32 -m-- 9 d8:84:66:8c:1c:32 Vlan22(1) authenticated
-- NA --
D884668C1C34 -m-- 11 d8:84:66:8c:1c:34 Vlan22(1) authenticated
-- NA --
D884668C1C3C -m-- 13 d8:84:66:8c:1c:3c Vlan22(1) authenticated
-- NA --
Unknown_3c:F7:A4:> ---- 9 3c:f7:a4:1d:07:b1 Vlan39(1) unauthentica>
10.11.32.180(1)
--------------------------------------------------------------------------------
Flags: k - Kerberos Snooping, l - LLDP Device,
m - NetLogin MAC-Based, w - NetLogin Web-Based,
x - NetLogin 802.1X
Legend: > - VLAN / ID Name / Domain / Role Name truncated to column width
(#) - Total # of associated VLANs/IPs
-- NA --- No IP or VLAN associated
Total number of entries: 9

E28-4.3.1.37 #

I've checked it. Something prevents Kerberos to be snooped by switches.

I think I've found the reason (It is just a guess). On core X670 switch ipmcforwarding was disabled for all VLANs. After I've turned it on after that get usernames in "show identity entries" output and Netsight from at least one edge switch.

GTM-P2G8KFN