Extreme Networks

Ian_Broadway · ‎09-29-2020

Hi All,

I am trying to create Extreme Control rule sets for MAC and .1x authentication.

Is there not a way I can add a group condition to query a LDAP/AD Domain group?

I can see there is an option for LDAP user groups.

Also, do Extreme offer some sort of downloadable config for updating DHCP fingerprints.

Its really tedious to have to go in and add lines of code to add custom fingerprints, not to mention having to hunt through a log file to get them in the first place.

One other thing, any ideas/thoughts on being able to add if/or conditions into the same rule?

Thanks

Ian

Miguel-Angel_RO · ‎10-13-2020

Stefan,

With a script from @Zdenek Pala (https://github.com/extremenetworks/ExtremeScripting/blob/master/Netsight/oneview_workflows/combo/Use... you can mix both authentications to ensure that the user authentication is done on a computer from the domain:

"Add MAC to Domain Computers" is executed when the computer authenticates. The MAC address is added to End-System and the timestamp is created (updated). Consequent User authentication can be combined with the condition of the End-System group. "Clear old End-Systems in the group" checks if the timestamp is older than X hours and old End-Systems are deleted from the group.

Mig

View solution in original post

SDR · ‎02-05-2021

Hi Mig,

it WAS the server certificate validation in the windows client.

Thanks for this hint.

So, now, the machine successfully authenticates with NAC.

According to the documents linked above, there should be an additional authentication, when an AD user logs in.

But this does not work. We configured everything from scratch this morning. After the machine has be authenticated successfully, no further authentication takes place, when the user logs in the client.

😞

Miguel-Angel_RO · ‎02-05-2021

Hi SDR,

This seems to be the server certificate validation in the windows client.

In the 802.1X parameters on the Windows PC can you disable the server certificate validation?

The alternative is to add the root certificate corresponding to the radius certificate to the windows client.

Also ensure to perform only computer authentication, the default is user.computer authentication.

Regards

Mig

SDR · ‎02-05-2021

Hi all,

Unfortunately I can only make photos, no screenshots (not my client).

See below.

TESTING the “username = host/….” within the LDAP-configurator test-function and the Config-Eval-Toole is successful, however.

ce5e34de21c045e1ad4da601f3c68477_d8652332-dc7d-435c-b077-f4f6b746eb2a.png

ce5e34de21c045e1ad4da601f3c68477_d4085fc9-364a-4c60-8f0c-d70ab79fdf9c.png

ce5e34de21c045e1ad4da601f3c68477_a5b7ab35-ab09-4fb5-85fd-083c075754ac.png

SDR · ‎02-04-2021

OK - so we don´t have to worry about the “username” anymore.

Regards the Rule: That´s how we configure it.

Rule Authentication “802.1x” (not with “(PEAP)” - I assume that we use the superior level this way” ,

validating the existance of “user” in the endsystems-group (configured and tested according the documentation Peter advised me, using Profile “assign my vlan”….

Miguel-Angel_RO · ‎02-04-2021

SDR,

That’s normal.

You do a “computer authentication” but the computer is doing an authentication with his own “username”.

The username and password are from the AD computer account.

The rules you are going to build must take this into account. You must match a “username” for a computer.

Here an example from a running system:

561408f767924dd99d311f85e832fdb9_0ef3b87d-1b20-4159-8c92-893c0c25f960.png

Mig

Extreme Networks

Extreme Control Rule and AD

Extreme Control Rule and AD