This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Extreme Control Rule and AD

Extreme Control Rule and AD

Go to solution
Ian_Broadway
New Contributor III

‎09-29-2020 02:52 PM

Hi All,

 

I am trying to create Extreme Control rule sets for MAC and .1x authentication.

Is there not a way I can add a group condition to query a LDAP/AD Domain group?

I can see there is an option for LDAP user groups.

 

Also, do Extreme offer some sort of downloadable config for updating DHCP fingerprints.

Its really tedious to have to go in and add lines of code to add custom fingerprints, not to mention having to hunt through a log file to get them in the first place.

 

One other thing, any ideas/thoughts on being able to add if/or conditions into the same rule?

Thanks

Ian

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎10-13-2020 08:53 AM

Stefan,

 

With a script from @Zdenek Pala (https://github.com/extremenetworks/ExtremeScripting/blob/master/Netsight/oneview_workflows/combo/Use... you can mix both authentications to ensure that the user authentication is done on a computer from the domain:

"Add MAC to Domain Computers" is executed when the computer authenticates. The MAC address is added to End-System and the timestamp is created (updated). Consequent User authentication can be combined with the condition of the End-System group. "Clear old End-Systems in the group" checks if the timestamp is older than X hours and old End-Systems are deleted from the group.

 

Mig

View solution in original post

0 Kudos
47 REPLIES 47

Go to solution
PeterK
Contributor III

‎10-01-2020 10:41 AM

If Nested Groups are used then you need to add each nested group to the list and use mode “Match Any”. I saw a customer automated this task through API calls.

Of course, but this is only a dirty workaround and not a solution. I hope Extreme will support this in the future.

0 Kudos

Go to solution
Zdeněk_Pala
Extreme Employee

‎10-01-2020 10:12 AM

If Nested Groups are used then you need to add each nested group to the list and use mode “Match Any”. I saw a customer automated this task through API calls.

Regards Zdeněk Pala
0 Kudos

Go to solution
PeterK
Contributor III

‎10-01-2020 09:45 AM

I think the problem of Ian ist, that Extreme Control does not support checking ldap attributes of nested group memberships.

You can only check ldap attributes where the account is direct assigned

0 Kudos

Go to solution
Zdeněk_Pala
Extreme Employee

‎10-01-2020 08:53 AM

Hi,

for some rule components you have “OR” and “AND” already:

c34745203f6b4c3faeed7b37bcfbf3dd_97cd5ef1-e701-4258-9d27-8948930556e1.png

 

regarding the DHCP fingerprinting, here is a new GitHub repository. Feel free to contribute 🙂

 

Regards Zdeněk Pala
0 Kudos

Go to solution
Ian_Broadway
New Contributor III

‎10-01-2020 06:42 AM

Thank you, i’ll ask the AD guys to check the account permissions for the account used for the LDAP config.

0 Kudos
GTM-P2G8KFN