09-29-2020 02:52 PM
Hi All,
I am trying to create Extreme Control rule sets for MAC and .1x authentication.
Is there not a way I can add a group condition to query a LDAP/AD Domain group?
I can see there is an option for LDAP user groups.
Also, do Extreme offer some sort of downloadable config for updating DHCP fingerprints.
Its really tedious to have to go in and add lines of code to add custom fingerprints, not to mention having to hunt through a log file to get them in the first place.
One other thing, any ideas/thoughts on being able to add if/or conditions into the same rule?
Thanks
Ian
Solved! Go to Solution.
10-13-2020 08:53 AM
Stefan,
With a script from
"Add MAC to Domain Computers" is executed when the computer authenticates. The MAC address is added to End-System and the timestamp is created (updated). Consequent User authentication can be combined with the condition of the End-System group. "Clear old End-Systems in the group" checks if the timestamp is older than X hours and old End-Systems are deleted from the group.
Mig
10-12-2020 07:05 PM
Hello Stefan,
here you can see how to configure Windows for Computer or/and User authentication with EAP. This is the basis for the mentiond KB article from Mig.
https://extremeportal.force.com/ExtrArticleDetail?an=000080814&q=nuc%20802.1x%20ldap%20user%20
Regards
Stephan
10-12-2020 06:40 PM
Thanks, will test this out! 🙂
10-12-2020 06:34 PM
You need to configure this in the 802.1x supplicant in windows. The default is afaik computer-account. But you can also choose computer and/or computer account. When a user logs in, the identiti switches from computer account to user account.
10-12-2020 05:42 PM
Hi guys,
just a short question on this topic. When using 802.1x computer authentication the user coloumn in ExtremeControl is populated with host\computername.domain.tld
Is there any way to additionally check for the user that is logged on the computer? I want to use the client certificate to authenticate and the user to authorise based on the users AD Groups.
BR
Stefan
10-12-2020 02:03 PM
Ian
There is a way to configure the NAC for host authentication that doesn’t seems obvious but needs to be followed.
You must create an LDAP connection for user authentication and one for computer authentication.
For the computer authentication (almost copy of the user one) you must use “servicePrincipalName” as “user search attribute” because the computer is in fact doing a “user authentication” with his own credentials.
You’ll have to adapt you AAA authentication rules to send computer authentications (host/*.ldap.domain)to the “computers ldap”
Check this for the config and let me know:
Mig