This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Extreme Control Rule and AD

Extreme Control Rule and AD

Go to solution
Ian_Broadway
New Contributor III

‎09-29-2020 02:52 PM

Hi All,

 

I am trying to create Extreme Control rule sets for MAC and .1x authentication.

Is there not a way I can add a group condition to query a LDAP/AD Domain group?

I can see there is an option for LDAP user groups.

 

Also, do Extreme offer some sort of downloadable config for updating DHCP fingerprints.

Its really tedious to have to go in and add lines of code to add custom fingerprints, not to mention having to hunt through a log file to get them in the first place.

 

One other thing, any ideas/thoughts on being able to add if/or conditions into the same rule?

Thanks

Ian

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎10-13-2020 08:53 AM

Stefan,

 

With a script from @Zdenek Pala (https://github.com/extremenetworks/ExtremeScripting/blob/master/Netsight/oneview_workflows/combo/Use... you can mix both authentications to ensure that the user authentication is done on a computer from the domain:

"Add MAC to Domain Computers" is executed when the computer authenticates. The MAC address is added to End-System and the timestamp is created (updated). Consequent User authentication can be combined with the condition of the End-System group. "Clear old End-Systems in the group" checks if the timestamp is older than X hours and old End-Systems are deleted from the group.

 

Mig

View solution in original post

0 Kudos
47 REPLIES 47

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎09-30-2020 02:47 PM

Ian,

You need to adapt the user rights with this: https://gtacknowledge.extremenetworks.com/articles/Q_A/Active-Directory-Permissions-For-NAC-NTLM-Aut...

Mig

0 Kudos

Go to solution
Ian_Broadway
New Contributor III

‎09-30-2020 02:42 PM

we have a group for Domain computers, when I browse AD i can see my host is a member of 3 groups, one being Domain Computers.

 

I want to use this group to reference as a memberOf attribute in the LDAP host group and then use this as a condition in the rule.

 

when I test my host it only reports back the other two groups under the memberOf attribute.

 

I’ve asked my AD guys if they can think of why it doesn't report the Domain Computers back as a value, see below;

8aa9208115cd46f09dd0e276259c96e2_19113eef-fa48-43d9-adbf-ede8dea02cb0.png

 

8aa9208115cd46f09dd0e276259c96e2_6fd7e672-459c-4e96-86a1-4d76abb8c58f.png

 

doesnt report the Domain Computers value. They’re all security groups.

 

I’m told the account used in the LDAP config has read access to the Domain, perhaps this is not enough?

0 Kudos

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎09-30-2020 02:14 PM

Ian,

You can use any attribute refering the object in the AD.

Your missed test is probably a syntax isue.

Here an example for the memberOf attribute

1816eb79114743a9bb58ed3eeabcfc24_9fb87a0a-ff8d-4c5b-89be-f07f77194147.png

 

If you want to use another attribute, just change the name of the attribute

Mig

 

0 Kudos

Go to solution
Ian_Broadway
New Contributor III

‎09-30-2020 02:07 PM

are you able to use an attribute that isnt returned by the device used for testing the connection?

 

I picked my host for example of which I know what domain groups it belongs to.

 

is it just a memberof attribute you can use? or can you use something else?

 

I tried to reference a rule with a memberof attribute and tested on a specific client to which i took the value knowing that client is in that AD group and then specifically tried to get that client to match but it never did. 

 

0 Kudos
GTM-P2G8KFN