cancel
Showing results for 
Search instead for 
Did you mean: 

Extreme Control Rule and AD

Extreme Control Rule and AD

Ian_Broadway
New Contributor III

Hi All,

 

I am trying to create Extreme Control rule sets for MAC and .1x authentication.

Is there not a way I can add a group condition to query a LDAP/AD Domain group?

I can see there is an option for LDAP user groups.

 

Also, do Extreme offer some sort of downloadable config for updating DHCP fingerprints.

Its really tedious to have to go in and add lines of code to add custom fingerprints, not to mention having to hunt through a log file to get them in the first place.

 

One other thing, any ideas/thoughts on being able to add if/or conditions into the same rule?

Thanks

Ian

1 ACCEPTED SOLUTION

Miguel-Angel_RO
Valued Contributor II

Stefan,

 

With a script from @Zdenek Pala (https://github.com/extremenetworks/ExtremeScripting/blob/master/Netsight/oneview_workflows/combo/Use... you can mix both authentications to ensure that the user authentication is done on a computer from the domain:

"Add MAC to Domain Computers" is executed when the computer authenticates. The MAC address is added to End-System and the timestamp is created (updated). Consequent User authentication can be combined with the condition of the End-System group. "Clear old End-Systems in the group" checks if the timestamp is older than X hours and old End-Systems are deleted from the group.

 

Mig

View solution in original post

47 REPLIES 47

PeterK
Contributor III

You only need to read and follow the links of the 2nd post in this thread.

SDR
New Contributor III

Hello,

 

i tried to follow you discussion - I failed however.

Maybe it´s even not the problem, I´m facing.

 

Customer just wants to authenticate its computers according to the fact, the computer being an AD-member.

We tried to create an end-system group (which will be verified in a rule), however we do not know, how to configure the end-system group to check the AD.

How is this to be configured? What string to be entered where?

Or is there NO chance to do it “easily”, just with scripting (as mentioned here)

 

Rgds. scripting: I have NO clue what and where to do with such scripts… 😞

 

Thank you !   

Ian_Broadway
New Contributor III

Ok so it says to just use the object category to specify if its a domain machine or not.

thats works for me i think, ill give it a go.

 

I have created the two ldap profiles as advised in the guide, will see how it goes.

Zdeněk_Pala
Extreme Employee

Both mentioned workflows are available at the GitHub

Regards Zdeněk Pala

Miguel-Angel_RO
Valued Contributor II

Stefan,

 

With a script from @Zdenek Pala (https://github.com/extremenetworks/ExtremeScripting/blob/master/Netsight/oneview_workflows/combo/Use... you can mix both authentications to ensure that the user authentication is done on a computer from the domain:

"Add MAC to Domain Computers" is executed when the computer authenticates. The MAC address is added to End-System and the timestamp is created (updated). Consequent User authentication can be combined with the condition of the End-System group. "Clear old End-Systems in the group" checks if the timestamp is older than X hours and old End-Systems are deleted from the group.

 

Mig

GTM-P2G8KFN