https://community.extremenetworks.com/t5/extremecontrol/switch-management-access-using-nac-rules-all-ad-user-can/m-p/89706#M249 <P>Can you change the profile of the second rule to something that rejects the auth request and test again?</P><FIGURE><IMG alt="" src="https://uploads-us-west-2.insided.com/extremenetworks-us/attachment/aee01359-78be-4b6c-bdc3-f345e5d55f65.png" /></FIGURE><P>&nbsp;</P> Tue, 31 Aug 2021 13:28:28 GMT Stefan_K_ 2021-08-31T13:28:28Z https://community.extremenetworks.com/t5/extremecontrol/switch-management-access-using-nac-rules-all-ad-user-can/m-p/89705#M248 <P>&nbsp;</P><P>Hello community,</P><P>I am a little confused about the following issue:</P><P>I configured the switch management access using the following older guide (I can't find a newer one):</P><P><A href="https://extremeportal.force.com/ExtrArticleDetail?an=000081977&amp;q=How-to-configure-NAC-to-handle-Management-Access-from-Switches" target="_blank" rel="noreferrer noopener nofollow ugc">https://extremeportal.force.com/ExtrArticleDetail?an=000081977&amp;q=How-to-configure-NAC-to-handle-Management-Access-from-Switches</A></P><P>Then I access the switch (X440-G2-24p-10G4 EXOS 30.2.1.8) with the allowed user. I get the correct permissions and everything is fine. Then I tested a user who has no permission and he can access the switch. It is true that he can only set show commands, but&nbsp;I think this is not the right behavior, or is it?<BR /><BR /><STRONG>Troubleshooting:</STRONG></P><UL><LI>the login gets the correct policy</LI> <LI>everything is forced</LI> <LI>i have reset the switch</LI> <LI>i changed the ldap configuration in several ways</LI> <LI>I changed the management access to user defined and tested a number of</LI></UL><P><STRONG>Configuration:</STRONG></P><FIGURE><span class="lia-inline-image-display-wrapper" image-alt="bbcf1b0b7392486190f28e6d8122e262_277bf4f8-0d7d-41ad-a51d-b5386367e8e3.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/3704iE68359AF189B1029/image-size/large?v=v2&amp;px=999" role="button" title="bbcf1b0b7392486190f28e6d8122e262_277bf4f8-0d7d-41ad-a51d-b5386367e8e3.png" alt="bbcf1b0b7392486190f28e6d8122e262_277bf4f8-0d7d-41ad-a51d-b5386367e8e3.png" /></span></FIGURE><FIGURE><span class="lia-inline-image-display-wrapper" image-alt="bbcf1b0b7392486190f28e6d8122e262_9d6932cf-35dc-4678-af78-5876ea9ce7ee.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/1853i204CD5E04A17324C/image-size/large?v=v2&amp;px=999" role="button" title="bbcf1b0b7392486190f28e6d8122e262_9d6932cf-35dc-4678-af78-5876ea9ce7ee.png" alt="bbcf1b0b7392486190f28e6d8122e262_9d6932cf-35dc-4678-af78-5876ea9ce7ee.png" /></span></FIGURE><FIGURE><span class="lia-inline-image-display-wrapper" image-alt="bbcf1b0b7392486190f28e6d8122e262_acb9beda-2f11-430d-a584-9c75af7588b2.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/5371iAC2E960122435E85/image-size/large?v=v2&amp;px=999" role="button" title="bbcf1b0b7392486190f28e6d8122e262_acb9beda-2f11-430d-a584-9c75af7588b2.png" alt="bbcf1b0b7392486190f28e6d8122e262_acb9beda-2f11-430d-a584-9c75af7588b2.png" /></span></FIGURE><FIGURE><span class="lia-inline-image-display-wrapper" image-alt="bbcf1b0b7392486190f28e6d8122e262_b88523c4-714f-4a84-9864-c02f4192ddce.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/962iC21346F2909C3745/image-size/large?v=v2&amp;px=999" role="button" title="bbcf1b0b7392486190f28e6d8122e262_b88523c4-714f-4a84-9864-c02f4192ddce.png" alt="bbcf1b0b7392486190f28e6d8122e262_b88523c4-714f-4a84-9864-c02f4192ddce.png" /></span></FIGURE><FIGURE><span class="lia-inline-image-display-wrapper" image-alt="bbcf1b0b7392486190f28e6d8122e262_83e9c090-31c4-47a0-b23c-728002037d7a.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/1834i3B4897A2F0EA8F6E/image-size/large?v=v2&amp;px=999" role="button" title="bbcf1b0b7392486190f28e6d8122e262_83e9c090-31c4-47a0-b23c-728002037d7a.png" alt="bbcf1b0b7392486190f28e6d8122e262_83e9c090-31c4-47a0-b23c-728002037d7a.png" /></span></FIGURE><P>&nbsp;</P> Mon, 30 Aug 2021 23:15:20 GMT https://community.extremenetworks.com/t5/extremecontrol/switch-management-access-using-nac-rules-all-ad-user-can/m-p/89705#M248 DeoHeo 2021-08-30T23:15:20Z https://community.extremenetworks.com/t5/extremecontrol/switch-management-access-using-nac-rules-all-ad-user-can/m-p/89706#M249 <P>Can you change the profile of the second rule to something that rejects the auth request and test again?</P><FIGURE><IMG alt="" src="https://uploads-us-west-2.insided.com/extremenetworks-us/attachment/aee01359-78be-4b6c-bdc3-f345e5d55f65.png" /></FIGURE><P>&nbsp;</P> Tue, 31 Aug 2021 13:28:28 GMT https://community.extremenetworks.com/t5/extremecontrol/switch-management-access-using-nac-rules-all-ad-user-can/m-p/89706#M249 Stefan_K_ 2021-08-31T13:28:28Z https://community.extremenetworks.com/t5/extremecontrol/switch-management-access-using-nac-rules-all-ad-user-can/m-p/89707#M250 <P>One could also say: Read the fucking manuel (Step 12).<BR />&nbsp;</P><P>Thanks for the help.</P> Tue, 31 Aug 2021 16:25:50 GMT https://community.extremenetworks.com/t5/extremecontrol/switch-management-access-using-nac-rules-all-ad-user-can/m-p/89707#M250 DeoHeo 2021-08-31T16:25:50Z