topic Extreme Control Rule and AD in ExtremeCloud IQ- Site Engine Management Center

Extreme Control Rule and AD

Ian_Broadway — Tue, 29 Sep 2020 21:52:52 GMT

Hi All,

I am trying to create Extreme Control rule sets for MAC and .1x authentication.

Is there not a way I can add a group condition to query a LDAP/AD Domain group?

I can see there is an option for LDAP user groups.

Also, do Extreme offer some sort of downloadable config for updating DHCP fingerprints.

Its really tedious to have to go in and add lines of code to add custom fingerprints, not to mention having to hunt through a log file to get them in the first place.

One other thing, any ideas/thoughts on being able to add if/or conditions into the same rule?

Thanks

Ian

Re: Extreme Control Rule and AD

Ian_Broadway — Tue, 29 Sep 2020 22:00:23 GMT

ok, just read 8.5 release notes, alot more functionality for DHCP fingerprinting.

other concerns still stand though if anyone has any thoughts please.

Re: Extreme Control Rule and AD

Miguel-Angel_RO — Tue, 29 Sep 2020 22:05:48 GMT

Ian,

Yes you can create a condition to trigger a rule based on an LDAP group
I don’t know for the DHCP fingerprint tool
You can add if/or at different levels
1. In the group definition
  2. in the policy mappings (a Location Group lookup will trigger the return values)

Regards

Mig

Re: Extreme Control Rule and AD

Stefan_K_ — Tue, 29 Sep 2020 22:16:48 GMT

Hi Ian,

of course there is! 🙂

This user group is used in a NAC-Rule to allow the CLI-Access to network switches for the configured AD-Group (which is censored in the screen).

Can of course also used in combination with MAC and Dot1x Auth.

Edit: Dang, much too slow.

Re: Extreme Control Rule and AD

Ian_Broadway — Wed, 30 Sep 2020 21:07:55 GMT

are you able to use an attribute that isnt returned by the device used for testing the connection?

I picked my host for example of which I know what domain groups it belongs to.

is it just a memberof attribute you can use? or can you use something else?

I tried to reference a rule with a memberof attribute and tested on a specific client to which i took the value knowing that client is in that AD group and then specifically tried to get that client to match but it never did.

Re: Extreme Control Rule and AD

Miguel-Angel_RO — Wed, 30 Sep 2020 21:14:23 GMT

Ian,

You can use any attribute refering the object in the AD.

Your missed test is probably a syntax isue.

Here an example for the memberOf attribute

If you want to use another attribute, just change the name of the attribute

Mig

Re: Extreme Control Rule and AD

Ian_Broadway — Wed, 30 Sep 2020 21:42:14 GMT

we have a group for Domain computers, when I browse AD i can see my host is a member of 3 groups, one being Domain Computers.

I want to use this group to reference as a memberOf attribute in the LDAP host group and then use this as a condition in the rule.

when I test my host it only reports back the other two groups under the memberOf attribute.

I’ve asked my AD guys if they can think of why it doesn't report the Domain Computers back as a value, see below;

doesnt report the Domain Computers value. They’re all security groups.

I’m told the account used in the LDAP config has read access to the Domain, perhaps this is not enough?

Re: Extreme Control Rule and AD

Miguel-Angel_RO — Wed, 30 Sep 2020 21:46:50 GMT

Indeed: https://gtacknowledge.extremenetworks.com/articles/Q_A/Active-Directory-Permissions-For-NAC-NTLM-Authentication/

Mig

Indeed: https://gtacknowledge.extremenetworks.com/articles/Q_A/Active-Directory-Permissions-For-NAC-NTLM-Authentication/

Mig

Re: Extreme Control Rule and AD

Miguel-Angel_RO — Wed, 30 Sep 2020 21:47:28 GMT

Ian,

You need to adapt the user rights with this: https://gtacknowledge.extremenetworks.com/articles/Q_A/Active-Directory-Permissions-For-NAC-NTLM-Authentication/

Mig

Re: Extreme Control Rule and AD

Ian_Broadway — Thu, 01 Oct 2020 13:42:57 GMT

Thank you, i’ll ask the AD guys to check the account permissions for the account used for the LDAP config.

Re: Extreme Control Rule and AD

Zdeněk_Pala — Thu, 01 Oct 2020 15:53:17 GMT

Hi,

for some rule components you have “OR” and “AND” already:

regarding the DHCP fingerprinting, here is a new GitHub repository. Feel free to contribute 🙂

Re: Extreme Control Rule and AD

PeterK — Thu, 01 Oct 2020 16:45:58 GMT

I think the problem of Ian ist, that Extreme Control does not support checking ldap attributes of nested group memberships.

You can only check ldap attributes where the account is direct assigned

Re: Extreme Control Rule and AD

Zdeněk_Pala — Thu, 01 Oct 2020 17:12:41 GMT

If Nested Groups are used then you need to add each nested group to the list and use mode “Match Any”. I saw a customer automated this task through API calls.

Re: Extreme Control Rule and AD

PeterK — Thu, 01 Oct 2020 17:41:54 GMT

If Nested Groups are used then you need to add each nested group to the list and use mode “Match Any”. I saw a customer automated this task through API calls.

Of course, but this is only a dirty workaround and not a solution. I hope Extreme will support this in the future.

Re: Extreme Control Rule and AD

Ian_Broadway — Thu, 01 Oct 2020 21:48:33 GMT

Its not a nested group actually but if im honest anything that makes the integration better is a win for sure, its a global security group that sits in an OU along with other security groups. It does not belong to other groups.

Its the group all domain joined PCs/Laptops become a member of when joined to the domain.

the other groups i referenced above are also part of the same OU yet the host only reports the memberOf attributes of the other two groups, not the domain computers one.

Still waiting on the permissions check with the account used in the LDAP config.

Will let you know if this solves it.

Re: Extreme Control Rule and AD

Ian_Broadway — Thu, 01 Oct 2020 22:04:51 GMT

Yep looks like it could well be an account issue as getting this error on the Appliance

2020-10-01 15:58:41,919 ERROR [com.enterasys.tesNb.server.freeradius.files.SambaInstallationManager] (EnforceHandler - Off Thread Notify Listeners0:) Failed to join domain: "removed" for user: "removed" with error code: 255
ADS join did not work, falling back to RPC...
Failed to join domain: User specified does not have administrator privileges
Failed to join domain: failed to find DC for domain “removed” - {Operation Failed} The requested operation was unsuccessful.

Re: Extreme Control Rule and AD

Ian_Broadway — Thu, 08 Oct 2020 19:20:13 GMT

So is there a way you can make the conditions in a rule be or conditions?

At the moment any conditions in the rule all have to be matched?

For example I have a rule for Medical devices. I would like it so that if Fingerprinting determines its “medical device” it will hit this rule or if its part of a certain vlan/subnet to which I know for a fact is solely for medical devices

or do i have to have multiple rules to be able to capture this behaviour?

Re: Extreme Control Rule and AD

Miguel-Angel_RO — Thu, 08 Oct 2020 19:26:37 GMT

Ian,

A workaround could be to define a new devicegroup including all the fingerprints you are looking for and match this group.

Mig

Re: Extreme Control Rule and AD

Ian_Broadway — Fri, 09 Oct 2020 15:22:30 GMT

thats fine but the issue is the manual process of adding fingerprints.

some things on the Medical subnet might not be classed as a medical device based on the default fingerprints, hence the reason to reference the multiple conditions in a rule.

would be ideal if the invert option was alongside an or and an and statement.

Re: Extreme Control Rule and AD

Ian_Broadway — Mon, 12 Oct 2020 20:29:24 GMT

ok, so back on topic, as a test, the account used to join the EAC appliances to the domain/used in the ldap configuration was given full domain admin rights.

When testing it still couldnt see the host device return the memberof attribute for the “domain computers” group. it worked for all other member groups as mentioned in an earlier host.

any ideas?