Displays the entries in the identity management database.
id_name |
Limits the display to entries that contain the specified user ID. |
domain |
Limits the display to entries for the specified domain. |
port_list |
Limits the display to entries for the specified ports. |
mac_address |
Limits the display to entries that contain the specified MAC address. |
vlan_name |
Limits the display to entries that contain the specified VLAN name. |
ip_address |
Limits the display to entries that contain the specified IP address. |
detail |
Expands the display to include more information about identity management entries. |
N/A.
Only admin-level users can execute this command.
The displayed ID Name is the actual user name when Network Login or Kerberos Snooping is enabled. For unknown users, the software creates a user name using the format: User_xxxxxxxxxxxxxxxx. The number in the user name is a 16-bit hash number that is generated using the user‘s port, MAC address, and IP address numbers.
The displayed Domain Name is displayed only if the client is discovered through Kerberos snooping or Dot1x and the domain name is supplied in the form of domain\user). The NetBIOS hostname is only displayed if this information was present in the Kerberos packets.
When the role is shown as multiple, the identity is connected through multiple ports/locations and different roles apply to each device.
The following command displays all entries in the identity management database:
* Switch.4 # show identity-management entries ID Name/ Flags Port MAC/ VLAN Role Domain Name IP -------------------------------------------------------------------------------- Unknown_00:00:00:> ---- 1:3 00:00:00:00:00:22 v1(1) unauthentica> -- NA -- 00005A4B0000 -m-- 1:4 00:00:5a:4b:d1:98 test126(1) Phone 126.0.0.2(1) 00005A4B0000 -m-- 1:4 00:00:5a:4b:d1:9c test128(1) Phone 128.0.0.2(1) 00005A4B0000 -m-- 1:4 00:00:5a:4b:d1:9e test129(1) Phone 129.0.0.2(1) . . . 000105000000 -m-- 1:4 00:01:05:00:03:18 test150(1) Phone -- NA -- OTHER(00:04:96:1e> l--- 4:11 00:04:96:1e:32:80 -- NA -- unauthentica> -- NA -- joe --k- 1 00:00:22:33:55:66 v1(1) authenticated extreme 2.1.3.4(1) bill --k- 2 00:00:22:33:44:55 v1(2) multiple corp.extremenetworks.com 1.2.3.4(1) Unknown_00:00:00:> ---- 1 00:00:00:00:22:33 v1(1) unauthentica> -- NA -- . . . OTHER(02:04:96:51> l--- 4:3 02:04:96:51:77:c7 -- NA -- unauthentica> -- NA -- -------------------------------------------------------------------------------- Flags: k - Kerberos Snooping, l - LLDP Device, m - NetLogin MAC-Based, w - NetLogin Web-Based, x - NetLogin 802.1X Legend: > - VLAN / ID Name / Domain / Role Name truncated to column width (#) - Total # of associated VLANs/IPs -- NA --- No IP or VLAN associated Total number of entries: 60
The following command shows the detail format:
* Switch.4 # show identity-management entries detail - ID: "00005A4B0000", 1 Port binding(s) Role: "Phone" Port: 1:4, 24 MAC binding(s) MAC: 00:00:5a:4b:d1:98, Flags: -m--, Discovered: Fri Sep 24 18:30:17 2010 1 VLAN binding(s) VLAN: "test126", 1 IP binding(s) IPv4: 126.0.0.2 Security Profile: ----, Security Violations: ----; MAC: 00:00:5a:4b:d1:9c, Flags: -m--, Discovered: Fri Sep 24 18:30:17 2010 1 VLAN binding(s) VLAN: "test128", 1 IP binding(s) IPv4: 128.0.0.2 Security Profile: ----, Security Violations: ----; MAC: 00:00:5a:4b:d1:9e, Flags: -m--, Discovered: Fri Sep 24 18:30:17 2010 1 VLAN binding(s) VLAN: "test129", 1 IP binding(s) IPv4: 129.0.0.2 Security Profile: ----, Security Violations: ----; . . . MAC: 00:00:5a:4b:d1:c8, Flags: -m--, Discovered: Fri Sep 24 18:30:17 2010 1 VLAN binding(s) VLAN: "test150", 1 IP binding(s) IPv4: 150.0.0.2 Security Profile: ----, Security Violations: ----; - ID: "000071710000", 1 Port binding(s) Role: "Phone" Port: 1:5, 1 MAC binding(s) MAC: 00:00:71:71:00:01, Flags: -m--, Discovered: Fri Sep 24 19:42:29 2010 1 VLAN binding(s) VLAN: "palani", 0 IP binding(s) - ID: "000105000000", 1 Port binding(s) Role: "Phone" Port: 1:4, 25 MAC binding(s) MAC: 00:01:05:00:03:00, Flags: -m--, Discovered: Fri Sep 24 18:30:17 2010 1 VLAN binding(s) VLAN: "test126", 0 IP binding(s) MAC: 00:01:05:00:03:01, Flags: -m--, Discovered: Fri Sep 24 18:30:17 2010 1 VLAN binding(s) VLAN: "test127", 0 IP binding(s) MAC: 00:01:05:00:03:02, Flags: -m--, Discovered: Fri Sep 24 18:30:17 2010 1 VLAN binding(s) VLAN: "test128", 0 IP binding(s) . . . MAC: 00:01:05:00:03:18, Flags: -m--, Discovered: Fri Sep 24 18:30:18 2010 1 VLAN binding(s) VLAN: "test150", 0 IP binding(s) - ID: "OTHER(00:04:96:1e:32:80)", 8 Port binding(s) Role: "unauthenticated" Port: 4:11, 1 MAC binding(s) MAC: 00:04:96:1e:32:80, Flags: l---, Discovered: Fri Sep 24 18:30:17 2010 0 VLAN binding(s) Port: 4:12, 1 MAC binding(s) MAC: 00:04:96:1e:32:80, Flags: l---, Discovered: Fri Sep 24 18:30:17 2010 0 VLAN binding(s) Port: 4:13, 1 MAC binding(s) MAC: 00:04:96:1e:32:80, Flags: l---, Discovered: Fri Sep 24 18:30:17 2010 0 VLAN binding(s) . . . Port: 4:18, 1 MAC binding(s) MAC: 00:04:96:1e:32:80, Flags: l---, Discovered: Fri Sep 24 18:30:17 2010 0 VLAN binding(s) - ID: "OTHER(02:04:96:51:77:c7)", 2 Port binding(s) Role: "unauthenticated" Port: 1:1, 1 MAC binding(s) MAC: 02:04:96:51:77:c7, Flags: l---, Discovered: Fri Sep 24 18:30:17 2010 0 VLAN binding(s) Port: 4:3, 1 MAC binding(s) MAC: 02:04:96:51:77:c7, Flags: l---, Discovered: Fri Sep 24 18:30:17 2010 0 VLAN binding(s) -------------------------------------------------------------------------------- Flags: k - Kerberos Snooping, l - LLDP Device, m - NetLogin MAC-Based, w - NetLogin Web-Based, x - NetLogin 802.1X Security Profile: a - ARP Validation, d - DoS Protection, g - Gratuitous ARP Protection, r - DHCP Snooping Security Violations: A - ARP Validation Violation, D - DoS Violation G - Gratuitous ARP Violation, R - Rogue DHCP Server Detected
The following command example shows how domain names, NetBIOS hostnames, and multiple roles appear when in use:
Switch.4 # show identity-management entries detail - ID: "john", 1 Port binding(s) Role: "IT-Engineer" Domain: "XYZCorp.com", NetBios hostname: "JOHN-DESKTOP" Port: 17 (Bld-1-Port-1), 1 MAC binding(s) MAC: 00:00:5a:4b:d1:98, Flags: --k-, Discovered: Tue Nov 16 12:22:46 2010 Force Aging TTL: 00:00:02 Inactive Aging TTL: 00:00:03 1 VLAN binding(s) VLAN: "corp", 1 IP binding(s) IPv4: 126.0.0.2 Security Profile: -d--, Security Violations: ----; - ID: "ramesh", 2 Port binding(s) Role: "multiple" Domain: "corp.extremenetworks.com" Port: 1, 1 MAC binding(s) MAC: 00:00:00:00:00:13, Flags: --k-, Discovered: Sat Apr 2 02:23:41 2011 Force Aging TTL: 00:00:02 Inactive Aging TTL: N/A 1 VLAN binding(s) VLAN: "v1", 1 IP binding(s) IPv4: 10.120.89.9 Role: "Engineer" Security Profile: adgsr---, Security Violations: A-------, Port: 2, 1 MAC binding(s) MAC: 00:00:00:00:00:30, Flags: --k-, Discovered: Sat Apr 2 02:24:30 2011 Force Aging TTL: 00:00:02 Inactive Aging TTL: N/A 1 VLAN binding(s) VLAN: "v2", 1 IP binding(s) IPv4: 10.2.3.45 Role: "iphoneEngineer" Security Profile: ----, Security Violations: ----; -------------------------------------------------------------------------------- Flags: k - Kerberos Snooping, l - LLDP Device, m - NetLogin MAC-Based, w - NetLogin Web-Based, x - NetLogin 802.1X Security Profile: a - ARP Validation, d - DoS Protection, g - Gratuitous ARP Protection, r - DHCP Snooping Security Violations: A - ARP Validation Violation, D - DoS Violation G - Gratuitous ARP Violation, R - Rogue DHCP Server Detected
The following command example shows that you can specify multiple options, such as the user name and ports:
show identity-management entries user eelco ports 2:2
This command was first available in ExtremeXOS 12.4.
Kerberos Force Aging TTL and Inactive Aging TTL information was added in ExtremeXOS 12.6.
Support for multiple roles for a single identity was added in ExtremeXOS 12.7.
This command is available on all Universal switches supported in this document.