|User‘s MAC address||X||X||X||X||X|
|Authentication and unauthentication time stamp||X||X||X||X||X|
|IPv4 to MAC binding||X||X||X|
|NetLogin authentication protocol||X|
|Device model namea||X|
|Device manufacturer namea||X|
The software components in Identity (User/Device) Attributes and Source Software Components trigger identity attribute collection when a user or device connects to the switch. All components provide the MAC address, authentication and unauthentication time stamps, and the port to which the identity connected. When multiple components are triggered by a user or device connection, the triggers usually happen at different times. Identity manager responds to all identity event triggers, adding additional information to the identity database each time it becomes available.
By default, the identity management feature collects information from all devices connected to identity management enabled ports which does Kerberos authentication using Kerberos snooping. Kerberos authentication, or ticketing, is used by Microsoft's Active Directory. The Kerberos snooping feature collects identity attributes from Kerberos Version 5 traffic. This feature does not capture information from earlier versions of Kerberos.
NoteWe recommend that you enable CPU DoS protect in combination with Kerberos snooping to make sure the CPU is not flooded with mirrored Kerberos packets in the event of a DoS attack on Kerberos TCP/UDP ports. If the rate limiting capability is leveraged on capable platforms, it is applied on CPU mirrored packets.
Because an identity entry in the identity manager database can contain information from various software components (listed in Identity (User/Device) Attributes and Source Software Components), when a component other than a network login triggers an identity removal, only the attributes supplied by that component are removed from the identity. When network login triggers an identity removal, all attributes for that identity are removed from the identity manager database.