This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IDM-RBAC POLICY

IDM-RBAC POLICY

EtherNation_Use
Contributor II

‎01-07-2014 10:06 PM

Create Date: Mar 26 2013 12:35AM

Hi,

Is there a way or policy in Ridgleline IDM-RBAC to block a non-AD User if he tries to connect to a Extreme Switch. That he will not be able to acquire a DCHP IP Address because he is not a member of the ACTIVE DIRECTORY.

Thanks.

-qw (from Carlo_Bons)
0 Kudos
3 REPLIES 3

EtherNation_Use
Contributor II

‎01-07-2014 10:06 PM

Create Date: Mar 27 2013 6:38PM

ok so working properly means that it is denying DHCP to the client? interested in what the policy looks like as I don't understand how you can check AD without an IP address on the client.

As for the issue there are a few things I would check. Did you configure something in IDM through the CLI? If so that will not work you need to configure it all from Ridgeline. Also you need to be running the latest SR for 15.2 there were a few issues with earlier versions not syncing. Lastly make sure that you have the latest release of Ridgeline.

If none of those work then I would recommend opening a case with TAC.

Hope that helps.

Thanks
P (from Paul_Russo)
0 Kudos

EtherNation_Use
Contributor II

‎01-07-2014 10:06 PM

Create Date: Mar 27 2013 12:47AM

Thanks Sir.

Anyway,

I am implementing Ridgeline's IDM & RBAC in client, last Monday this is working properly, i have already done the Roles and Policies for my testing but come on Tuesday, yesterday it didnt work anymore.. I have this problem in RBAC "NOT_IN_SYNC" in configuration state. Do you have any resolution for this kind of problem. I tried to disabled and re-enabled IDM & RBAC but the "NOT_IN_SYNC" is still there. Please help..

-qw (from Carlo_Bons)
0 Kudos

EtherNation_Use
Contributor II

‎01-07-2014 10:06 PM

Create Date: Mar 26 2013 8:21PM

Hello Please help

The only thing I can think of is to use some type of network login either web based (think captive portal) where the switch gives a user a temp IP until they are authenticated and then they get a real IP address. This would require RADIUS talking to the AD domain.

IDM only kicks in once the user tries to talk to the AD which means they already have an IP address. If they are unauthenticated you can then restrict them as to where they can go but they will already have an IP address.

The problem is that you need an authenticated user to get IP to get verified by the domain so you have to let a station get an IP first. Netlogin web based gives out a fake temp IP and if they are not authenticated they will never get a real IP address from the server.

Hope that helps

P

(from Paul_Russo)
0 Kudos
GTM-P2G8KFN