Question

Extreme Management Center (XMC) 8.x (NMS-50) NAC / Group Editor


Our real case scenario is that we are authenticating clients by MAC Address, mostly Virtual Machines from any developer working for a project period within that network.
Therefore an additionally NAC rule criteria for an end system group should be an expiration date. In other words a certain VM´s MAC address should be rejected by NAC after reaching a particular date and time.
For example a client authentication is valid/accepted through to 2019-12-31 and after that particular date the VM´s MAC authentication will be rejected. This is unfortunately not working by Time Groups.
As workaround the operator manually moves the end-systems MAC to group quarantine after valid date is reached.
One idea is to use NAC Request Tool for adding and deleting end-systems, but how to automate/schedule this. The end-system MAC addresses are listed in a SQL database by invalid date.

Any idea how to get it?

Thank you.

2 replies

Userlevel 5
Hi Marcus,

I didn't play with NAC Request Tool yet but looking around...
NAC Request Tool is a thing that involves ExtremeConnect API that is available in NMS-ADV, but somehow it works with NMS (take care of the version: https://gtacknowledge.extremenetworks.com/articles/Solution/Nac-Request-Tool-does-not-work-in-v8-x-unless-you-have-a-NMS-ADV-license).

You might find this useful:
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-Add-MAC-Addresses-to-NAC-End-System-Groups-via-NAC-Request-Tool/

The difference is with a command used, i.e.:
code:
NacRequest -server 1.1.1.1 -username admin -password pass -del -oper esoverride -endsystem 11:22:33:44:55:66 -group "My Beloved Ones"





I believe some effort in scripting is to be put so you might have a CSV file with contractors' VM MAC addresses and cooperation deadlines, every midnight the file is checked by the script and if some date is older than today, issue NAC Request Tool command for that MAC address (and clean the line in CSV, and notify something external that it's outdated - or from a different perspective, some application that monitors out-of-date access could run that command).

Hope that helps,
Tomasz
Userlevel 2
As an alternative, expiration start and end times for locally defined (LPR) users AND devices authenticating to an Access Control Engine can also be done by using Extreme Guest & IoT Manager.

Reply