show identity-management entries

show identity-management entries {user id_name} {domain domain} {ports port_list} {mac mac_address} {vlan vlan_name} {ipaddress ip_address} {detail}

Description

Displays the entries in the identity management database.

Syntax Description

id_name

Limits the display to entries that contain the specified user ID.

domain

Limits the display to entries for the specified domain.

port_list

Limits the display to entries for the specified ports.

mac_address

Limits the display to entries that contain the specified MAC address.

vlan_name

Limits the display to entries that contain the specified VLAN name.

ip_address

Limits the display to entries that contain the specified IP address.

detail

Expands the display to include more information about identity management entries.

Default

N/A.

Usage Guidelines

Only admin-level users can execute this command.

The displayed ID Name is the actual user name when Network Login or Kerberos Snooping is enabled. For unknown users, the software creates a user name using the format: User_xxxxxxxxxxxxxxxx. The number in the user name is a 16-bit hash number that is generated using the user‘s port, MAC address, and IP address numbers.

The displayed Domain Name is displayed only if the client is discovered through Kerberos snooping or Dot1x and the domain name is supplied in the form of domain\user). The NetBIOS hostname is only displayed if this information was present in the Kerberos packets.

When the role is shown as multiple, the identity is connected through multiple ports/locations and different roles apply to each device.

Example

The following command displays all entries in the identity management database:

* Switch.4 # show identity-management entries
ID Name/          Flags  Port        MAC/          VLAN            Role
Domain Name                          IP
--------------------------------------------------------------------------------
Unknown_00:00:00:> ----  1:3    00:00:00:00:00:22  v1(1)           unauthentica>
-- NA --
00005A4B0000       -m--  1:4    00:00:5a:4b:d1:98  test126(1)      Phone
126.0.0.2(1)
00005A4B0000       -m--  1:4    00:00:5a:4b:d1:9c  test128(1)      Phone
128.0.0.2(1)
00005A4B0000       -m--  1:4    00:00:5a:4b:d1:9e  test129(1)      Phone
129.0.0.2(1)
.
.
.
000105000000       -m--  1:4    00:01:05:00:03:18  test150(1)      Phone
-- NA --
OTHER(00:04:96:1e> l---  4:11   00:04:96:1e:32:80  -- NA --        unauthentica>
-- NA --
joe                --k-  1      00:00:22:33:55:66  v1(1)           authenticated extreme                         2.1.3.4(1)
bill               --k-  2      00:00:22:33:44:55  v1(2)           multiple corp.extremenetworks.com        1.2.3.4(1)
Unknown_00:00:00:> ----  1      00:00:00:00:22:33  v1(1)           unauthentica>
-- NA --
.
.
.
OTHER(02:04:96:51> l---  4:3    02:04:96:51:77:c7  -- NA --        unauthentica>
-- NA --
--------------------------------------------------------------------------------
Flags:               k - Kerberos Snooping, l - LLDP Device,
m - NetLogin MAC-Based, w - NetLogin Web-Based,
x - NetLogin 802.1X
Legend: >      - VLAN / ID Name / Domain / Role Name truncated to column width
(#)     - Total # of associated VLANs/IPs
-- NA --- No IP or VLAN associated
Total number of entries: 60

The following command shows the detail format:

* Switch.4 # show identity-management entries detail
- ID: "00005A4B0000", 1 Port binding(s)
Role: "Phone"
Port: 1:4, 24 MAC binding(s)
MAC: 00:00:5a:4b:d1:98, Flags: -m--, Discovered: Fri Sep 24 18:30:17 2010
1 VLAN binding(s)
VLAN: "test126", 1 IP binding(s)
IPv4: 126.0.0.2
Security Profile: ----, Security Violations: ----;
MAC: 00:00:5a:4b:d1:9c, Flags: -m--, Discovered: Fri Sep 24 18:30:17 2010
1 VLAN binding(s)
VLAN: "test128", 1 IP binding(s)
IPv4: 128.0.0.2
Security Profile: ----, Security Violations: ----;
MAC: 00:00:5a:4b:d1:9e, Flags: -m--, Discovered: Fri Sep 24 18:30:17 2010
1 VLAN binding(s)
VLAN: "test129", 1 IP binding(s)
IPv4: 129.0.0.2
Security Profile: ----, Security Violations: ----;
.
.
.
MAC: 00:00:5a:4b:d1:c8, Flags: -m--, Discovered: Fri Sep 24 18:30:17 2010
1 VLAN binding(s)
VLAN: "test150", 1 IP binding(s)
IPv4: 150.0.0.2
Security Profile: ----, Security Violations: ----;
- ID: "000071710000", 1 Port binding(s)
Role: "Phone"
Port: 1:5, 1 MAC binding(s)
MAC: 00:00:71:71:00:01, Flags: -m--, Discovered: Fri Sep 24 19:42:29 2010
1 VLAN binding(s)
VLAN: "palani", 0 IP binding(s)
- ID: "000105000000", 1 Port binding(s)
Role: "Phone"
Port: 1:4, 25 MAC binding(s)
MAC: 00:01:05:00:03:00, Flags: -m--, Discovered: Fri Sep 24 18:30:17 2010
1 VLAN binding(s)
VLAN: "test126", 0 IP binding(s)
MAC: 00:01:05:00:03:01, Flags: -m--, Discovered: Fri Sep 24 18:30:17 2010
1 VLAN binding(s)
VLAN: "test127", 0 IP binding(s)
MAC: 00:01:05:00:03:02, Flags: -m--, Discovered: Fri Sep 24 18:30:17 2010
1 VLAN binding(s)
VLAN: "test128", 0 IP binding(s)
.
.
.
MAC: 00:01:05:00:03:18, Flags: -m--, Discovered: Fri Sep 24 18:30:18 2010
1 VLAN binding(s)
VLAN: "test150", 0 IP binding(s)
- ID: "OTHER(00:04:96:1e:32:80)", 8 Port binding(s)
Role: "unauthenticated"
Port: 4:11, 1 MAC binding(s)
MAC: 00:04:96:1e:32:80, Flags: l---, Discovered: Fri Sep 24 18:30:17 2010
0 VLAN binding(s)
Port: 4:12, 1 MAC binding(s)
MAC: 00:04:96:1e:32:80, Flags: l---, Discovered: Fri Sep 24 18:30:17 2010
0 VLAN binding(s)
Port: 4:13, 1 MAC binding(s)
MAC: 00:04:96:1e:32:80, Flags: l---, Discovered: Fri Sep 24 18:30:17 2010
0 VLAN binding(s)
.
.
.
Port: 4:18, 1 MAC binding(s)
MAC: 00:04:96:1e:32:80, Flags: l---, Discovered: Fri Sep 24 18:30:17 2010
0 VLAN binding(s)
- ID: "OTHER(02:04:96:51:77:c7)", 2 Port binding(s)
Role: "unauthenticated"
Port: 1:1, 1 MAC binding(s)
MAC: 02:04:96:51:77:c7, Flags: l---, Discovered: Fri Sep 24 18:30:17 2010
0 VLAN binding(s)
Port: 4:3, 1 MAC binding(s)
MAC: 02:04:96:51:77:c7, Flags: l---, Discovered: Fri Sep 24 18:30:17 2010
0 VLAN binding(s)
--------------------------------------------------------------------------------
Flags:               k - Kerberos Snooping, l - LLDP Device,
m - NetLogin MAC-Based, w - NetLogin Web-Based,
x - NetLogin 802.1X
Security Profile:    a - ARP Validation, d - DoS Protection,
g - Gratuitous ARP Protection, r - DHCP Snooping
Security Violations: A - ARP Validation Violation, D - DoS Violation
G - Gratuitous ARP Violation, R - Rogue DHCP Server Detected

The following command example shows how domain names, NetBIOS hostnames, and multiple roles appear when in use:

Switch.4 # show identity-management entries detail
- ID: "john", 1 Port binding(s)
Role: "IT-Engineer"
Domain: "XYZCorp.com", NetBios hostname: "JOHN-DESKTOP"
Port: 17 (Bld-1-Port-1), 1 MAC binding(s)
MAC: 00:00:5a:4b:d1:98, Flags: --k-, Discovered: Tue Nov 16 12:22:46 2010
Force Aging TTL: 00:00:02    Inactive Aging TTL: 00:00:03
1 VLAN binding(s)
VLAN: "corp", 1 IP binding(s)
IPv4: 126.0.0.2
Security Profile: -d--, Security Violations: ----;
- ID: "ramesh", 2 Port binding(s)
Role: "multiple"
Domain: "corp.extremenetworks.com"
Port: 1, 1 MAC binding(s)
MAC: 00:00:00:00:00:13, Flags: --k-, Discovered: Sat Apr  2 02:23:41 2011
Force Aging TTL: 00:00:02    Inactive Aging TTL: N/A
1 VLAN binding(s)
VLAN: "v1", 1 IP binding(s)
IPv4: 10.120.89.9
Role: "Engineer"
Security Profile: adgsr---, Security Violations: A-------,
Port: 2, 1 MAC binding(s)
MAC: 00:00:00:00:00:30, Flags: --k-, Discovered: Sat Apr  2 02:24:30 2011
Force Aging TTL: 00:00:02    Inactive Aging TTL: N/A
1 VLAN binding(s)
VLAN: "v2", 1 IP binding(s)
IPv4: 10.2.3.45
Role: "iphoneEngineer"
Security Profile: ----, Security Violations: ----;
--------------------------------------------------------------------------------
Flags:               k - Kerberos Snooping, l - LLDP Device,
m - NetLogin MAC-Based, w - NetLogin Web-Based,
x - NetLogin 802.1X
Security Profile:    a - ARP Validation, d - DoS Protection,
g - Gratuitous ARP Protection, r - DHCP Snooping
Security Violations: A - ARP Validation Violation, D - DoS Violation
G - Gratuitous ARP Violation, R - Rogue DHCP Server Detected

The following command example shows that you can specify multiple options, such as the user name and ports:

show identity-management entries user eelco ports 2:2

History

This command was first available in ExtremeXOS 12.4.

Kerberos Force Aging TTL and Inactive Aging TTL information was added in ExtremeXOS 12.6.

Support for multiple roles for a single identity was added in ExtremeXOS 12.7.

Platform Availability

This command is available on ExtremeSwitching 5320, 5420, 5520, and 5720 series switches.