Extreme Connect NAC IDM Handler

  • 0
  • 1
  • Problem
  • Updated 2 months ago
  • Solved
Unable to Add the NAC IPs in the IDM Handler of Extreme connect.

the original problem is that IDM is sending XML notifications from the switches to the NAC but it is not populating the data in NAC manager.

when i go to this page (screenshot) and try to add the NAC IPs here as explained in the documentation the page just refreshes but not adding any entries.

any ideas what i am missing?
Photo of Ahmed Haroun

Ahmed Haroun

  • 888 Points 500 badge 2x thumb

Posted 3 months ago

  • 0
  • 1
Photo of Kurt Semba

Kurt Semba, Employee

  • 1,226 Points 1k badge 2x thumb
Hi Ahmed,

which version of XMC are you using? Starting with v8.0 you should be able to get end-system data from XOS switches through IDM and XML notifications but without the need for the "IDM Handler" from Connect. XMC should be able to directly listen to those notification messages from the XOS switches and display end-system data within the "Control" tab.

Kurt
Photo of Ahmed Haroun

Ahmed Haroun

  • 888 Points 500 badge 2x thumb
Photo of Kurt Semba

Kurt Semba, Employee

  • 1,226 Points 1k badge 2x thumb
Hi Ahmed,

when you say you want to "get the details of the non 802.1x (few) ports in Netsight" do you mean that you are generally using NAC with 802.1X with the exception of a few ports? Can you enable MAC authentication on those ports? That way you can also use NAC to get the end-system details and there is no need for IDM?

Kurt
Photo of Ahmed Haroun

Ahmed Haroun

  • 888 Points 500 badge 2x thumb
Well,

1- Thought of this, but actually some devices (old, legacy) does not work with MAC authentication as well , it does not send any data, which forces us to open the ports for them and assign the valn statically.

2- i am now wondering as well what is the need for XML notification if i am using 802.1x , it does not seem to be adding any value here for the 802.1x enabled ports.
Photo of Kurt Semba

Kurt Semba, Employee

  • 1,226 Points 1k badge 2x thumb
1 - just guessing, but are those device that don't work with MAC auth devices like printers, etc. which are not sending much data to the network but rather need to be contacted by other systems in order to start sending data? I'm not an XOS pro but there should be a feature that allows communication from the network into those ports where these devices are connected. From the switchport view this would be considered egress traffic to an unauthorized port. This feature is also required in scenarios where Wake-On-Lan is needed. Maybe someone else on this thread knows how this is done in XOS.

2- agree. Using 1X with NAC should give you everything you get from IDM and much more.
Photo of Ahmed Haroun

Ahmed Haroun

  • 888 Points 500 badge 2x thumb
Hi Kurt,

the correspondance with you is very informative, thank you.

1- i tried your suggestion, works most of the times if found the below command to do this trick for the silent devices, and so far it is working (first you need to add the vlan statically to the port).
configure netlogin ports *:* allow egress-traffic all_cast

However, still some rare cases requires opening the port , and we need a way to see them in console.

2- can you correct my info? when we use XML notification to Netsight we use the following URL :

https://Netsight-IP:8443/axis/services/event 

my question is what is the equivallent link to use when we send the XML notification to the switches?

is it: https://NAC-IP:8443/axis/services/event also? or /Nacwebservices ? , can you point me to the correct URL?
Photo of Kurt Semba

Kurt Semba, Employee

  • 1,226 Points 1k badge 2x thumb
Hi Ahmed,

regarding your first question: if this works 99% of the time then I would suggest to open a ticket with GTAC to troubleshoot the rare cases where this doesn't work.

regarding #2: just to undersand the question: you are not sure whether the switch should send its XML notifications to XMC or a NAC appliance? Or am I getting this wrong?
Photo of Ahmed Haroun

Ahmed Haroun

  • 888 Points 500 badge 2x thumb
1- i will, i will also check with them the ldap error that happens under the IDM messages load. 
(Unable to find dynamic group for user XOSIDM using ldap configuration)

2- Yes , because i have seen two sets of documentations , one of them advice to send the xml notifications to EMC and the other suggests to send it to NAC appliance, also i am asking if both uses the same URL path (/axis/services/event)
Photo of Kurt Semba

Kurt Semba, Employee

  • 1,226 Points 1k badge 2x thumb
Hi Ahmed,

If you send the events to a NAC appliance you can also use the username and/or kerberos authentication to elevate access based on the information from IDM. NAC will use the change of the username to re-run the NAC rule engine in order to potentially change the authorization of that device.
I don't think that this is necessary in your environment and I'm still in favor of simply using MAC/802.1X auth + NAC where possible, but if you have / want to give it a try, the URL on the NAC appliance should be the same:
https://<nac_ip>:8443/axis/services/event

Kurt
Photo of Ahmed Haroun

Ahmed Haroun

  • 888 Points 500 badge 2x thumb
Excellent , Thanks Kurt