Trying to setup IDM and failing

  • 0
  • 1
  • Question
  • Updated 5 months ago
  • Answered
We have Extreme Management Console and ExtremeControl and we want to start off by just collecting information on what all is connected to the network, but not enforcing any policies at this point.  The first step is to select the device, right-click on it, click Tasks -> Access Control -> Identity Management - Configuration, correct?

We then changed the target server IP address setting to the IP of the NAC server, changed the target server type to NAC, but then things fall apart at the username and PW.  We tried using the root account that was created when NAC was installed, but that doesn't work.  Looking on the switch, it shows:


Slot-2 Summit-CV-Desktops.9 # show xml-notification statistics
Target Name             : nac-target_172.22.1.94
Server URL              : https://172.22.1.94:8443/axis/services/event
Server Queue Size       : 100
Enabled                 : yes
Connection Status       : fail
Events Received         : 3
Connection Failures     : 2
Events Sent Success     : 0
Events Sent Failed      : 3
Events Dropped          : 0

Going to that link brings up a login prompt, but the root account credentials on the NAC don't work to login.  I'm guessing that is where the problem is, but I don't know at this point.
Photo of Stephen Stormont

Stephen Stormont

  • 822 Points 500 badge 2x thumb

Posted 5 months ago

  • 0
  • 1
Photo of Michal Rz

Michal Rz

  • 742 Points 500 badge 2x thumb
Photo of Stephen Stormont

Stephen Stormont

  • 822 Points 500 badge 2x thumb
Yes, those are what I have attempted with no luck.

To confirm (based on https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configured-Identity-Management-for-...), the target server is the IP of the NAC server and the target username/PW can be the "root" account on the NAC server (or do you use the account on the XMC server)?
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,740 Points 2k badge 2x thumb
Stephen, you would use the root account for the XMC server, not the username/password of the NAC server.
Photo of Stephen Stormont

Stephen Stormont

  • 822 Points 500 badge 2x thumb
Sadly, I'm still missing a piece of the puzzle.  Figured out that the script that runs via XMC sets things up using VR-Mgmt, but we use VR-Default.  Changed that setting and now the switches are connected to the server, but they aren't showing up in the "End Systems" section.
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,740 Points 2k badge 2x thumb
For the $serverIP are you using the NAC Server or the XMC Server? I've only ever tried it going directly to XMC.
Photo of Stephen Stormont

Stephen Stormont

  • 822 Points 500 badge 2x thumb
I was following what the docs said and using the IP of the NAC server.  Now after dismantling the configs on one switch, and trying the IP of the XMC server (it wasn't able to connect), I have tried going back to my original config and now that isn't connecting.  Must be Friday.
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,740 Points 2k badge 2x thumb
Ok, here's a screenshot of what it should look like on the CLI of the switch. The encrypted-auth is the encrypted password. If you already had most of it working with the script from XMC, you should just be able to change the VR on the first XML notification line.
Photo of Stephen Stormont

Stephen Stormont

  • 822 Points 500 badge 2x thumb
Yes, mine looks like your setup:
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,740 Points 2k badge 2x thumb
Is the IP in your nac-target the NAC IP address or the XMC IP Address? If it's the NAC, try changing it to the XMC IP.
Photo of Stephen Stormont

Stephen Stormont

  • 822 Points 500 badge 2x thumb
I definitely messed something up.  Any combination now shows "not connected" messages from "show xml-notification config" and "show xml-notification statistics".

Tried:

.93 (IP of the XMC server) and the PW of the root account on the XMC server
.93 (IP of the XMC server) and the PW of the root account on the NAC server
.94 (IP of the NAC server) and the PW of the root account on the NAC server
.94 (IP of the NAC server) and the PW of the root account on the XMC server
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,740 Points 2k badge 2x thumb
The first option should have worked. When you log into the XMC Web UI do you use the root account? Try using the account you would normally connect with.
Photo of Stephen Stormont

Stephen Stormont

  • 822 Points 500 badge 2x thumb
I normally log into the Web UI with my AD account.  Just tested with the root account/PW for the XMC server and was able to manually log into the Web UI and SSH to the server, so I know the credentials are fine.  Still getting "not connected" on the switch side when using those same credentials.
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,740 Points 2k badge 2x thumb
Try using your AD account for the heck of it. What license level of XMC are you running? Is it running on linux or windows? At this point it may be worth giving GTAC a call to take a look. I'm out of ideas since it should be working.