cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Extreme Control Rule and AD

Extreme Control Rule and AD

Ian_Broadway
New Contributor III

Hi All,

 

I am trying to create Extreme Control rule sets for MAC and .1x authentication.

Is there not a way I can add a group condition to query a LDAP/AD Domain group?

I can see there is an option for LDAP user groups.

 

Also, do Extreme offer some sort of downloadable config for updating DHCP fingerprints.

Its really tedious to have to go in and add lines of code to add custom fingerprints, not to mention having to hunt through a log file to get them in the first place.

 

One other thing, any ideas/thoughts on being able to add if/or conditions into the same rule?

Thanks

Ian

1 ACCEPTED SOLUTION

Miguel-Angel_RO
Valued Contributor II

Stefan,

 

With a script from @Zdenek Pala (https://github.com/extremenetworks/ExtremeScripting/blob/master/Netsight/oneview_workflows/combo/Use... you can mix both authentications to ensure that the user authentication is done on a computer from the domain:

"Add MAC to Domain Computers" is executed when the computer authenticates. The MAC address is added to End-System and the timestamp is created (updated). Consequent User authentication can be combined with the condition of the End-System group. "Clear old End-Systems in the group" checks if the timestamp is older than X hours and old End-Systems are deleted from the group.

 

Mig

View solution in original post

47 REPLIES 47

Ian_Broadway
New Contributor III

thats fine but the issue is the manual process of adding fingerprints.

some things on the Medical subnet might not be classed as a medical device based on the default fingerprints, hence the reason to reference the multiple conditions in a rule.

 

would be ideal if the invert option was alongside an or and an and statement.

Miguel-Angel_RO
Valued Contributor II

Ian,

 

A workaround could be to define a new devicegroup including all the fingerprints you are looking for and match this group.

Mig

Ian_Broadway
New Contributor III

So is there a way you can make the conditions in a rule be or conditions?

At the moment any conditions in the rule all have to be matched?

For example I have a rule for Medical devices. I would like it so that if Fingerprinting determines its  ā€œmedical deviceā€ it will hit this rule or if its part of a certain vlan/subnet to which I know for a fact is solely for medical devices

d6f93f818dd94313926be210307c4af1_6f2366fd-8b43-4d3d-a1d3-576d90870e90.png

 

or do i have to have multiple rules to be able to capture this behaviour?

Ian_Broadway
New Contributor III

Yep looks like it could well be an account issue as getting this error on the Appliance

2020-10-01 15:58:41,919 ERROR [com.enterasys.tesNb.server.freeradius.files.SambaInstallationManager] (EnforceHandler - Off Thread Notify Listeners0:) Failed to join domain: "removed" for user: "removed" with error code: 255
        ADS join did not work, falling back to RPC...
        Failed to join domain: User specified does not have administrator privileges
        Failed to join domain: failed to find DC for domain ā€œremovedā€ - {Operation Failed} The requested operation was unsuccessful.
 

Ian_Broadway
New Contributor III

Its not a nested group actually but if im honest anything that makes the integration better is a win for sure, its a global security group that sits in an OU along with other security groups. It does not belong to other groups.

Its the group all domain joined PCs/Laptops become a member of when joined to the domain.

the other groups i referenced above are also part of the same OU yet the host only reports the memberOf attributes of the other two groups, not the domain computers one. 

Still waiting on the permissions check with the account used in the LDAP config.

 

Will let you know if this solves it.

GTM-P2G8KFN