Identity Information Capture

The identity management feature collects user and device data whenever users or devices connect to or disconnect from the switch. Identity (User/Device) Attributes and Source Software Components lists the identity management attributes that the identity manager process collects from the listed switch software components.
Table 1. Identity (User/Device) Attributes and Source Software Components
Attribute NetLogin LLDP FDB IP-Security Kerberos Snooping
User‘s MAC address X X X X X
Authentication and unauthentication time stamp X X X X X
User‘s port X X X X X
User‘s VLANs X X X X
User‘s identity X X X
IPv4 to MAC binding X X X
NetLogin authentication protocol X
Authentication failures X
Device capabilitiesa X
Device model namea X
Device manufacturer namea X

The software components in Identity (User/Device) Attributes and Source Software Components trigger identity attribute collection when a user or device connects to the switch. All components provide the MAC address, authentication and unauthentication time stamps, and the port to which the identity connected. When multiple components are triggered by a user or device connection, the triggers usually happen at different times. Identity manager responds to all identity event triggers, adding additional information to the identity database each time it becomes available.

To capture all the available attribute information listed in Identity (User/Device) Attributes and Source Software Components, enable the following features:

By default, the identity management feature collects information from all devices connected to identity management enabled ports which does Kerberos authentication using Kerberos snooping. Kerberos authentication, or ticketing, is used by Microsoft's Active Directory. The Kerberos snooping feature collects identity attributes from Kerberos Version 5 traffic. This feature does not capture information from earlier versions of Kerberos.

Note

Note

We recommend that you enable CPU DoS protect in combination with Kerberos snooping to make sure the CPU is not flooded with mirrored Kerberos packets in the event of a DoS attack on Kerberos TCP/UDP ports. If the rate limiting capability is leveraged on capable platforms, it is applied on CPU mirrored packets.

Because an identity entry in the identity manager database can contain information from various software components (listed in Identity (User/Device) Attributes and Source Software Components), when a component other than a network login triggers an identity removal, only the attributes supplied by that component are removed from the identity. When network login triggers an identity removal, all attributes for that identity are removed from the identity manager database.


a Identity manager receives these attributes only from LLDP enabled ports when the remote device is configured to send the corresponding TLV.