cancel
Showing results for 
Search instead for 
Did you mean: 

ExtremeCloud™ IQ - Site Engine (XIQ-SE) 23.11.10.41 General Availability (GA) Feature Release

ExtremeCloud™ IQ - Site Engine (XIQ-SE) 23.11.10.41 General Availability (GA) Feature Release

Zdeněk_Pala
Extreme Employee

ExtremeCloud IQ – Site Engine 23.11.10.41 is now live on Extreme Portal, and available to our customers and partners.

This release is a feature release. Enhancements delivered in this release:

Release Notes = https://emc.extremenetworks.com/content/common/releasenotes/release_notes/suite_release_notes.html

Offline (downloadable) documentation = https://documentation.extremenetworks.com/netsight/XIQ-SE/23.11.10/XIQ-SE_23.11.10_Doc_Collection_No...

Thank you!

 

Regards Zdeněk Pala
1 ACCEPTED SOLUTION

GrangeBM
New Contributor

Do you still need the "Control" or AKA as A3 Server License to integrate with Azure (Entra) from Extreme IQ?

We have onsite Microsoft NPS, as a radius. I am hoping this will allow me to ditch the onsite NPS and go direct with Entra.

Do you know if part of the radius on Entra (when used with extreme) if its okay to use USER and DEVICE conditional rules?

Thanks 

View solution in original post

9 REPLIES 9

Evert
New Contributor II

Hi Zdenek,
We ran into an issue with LDAPs to AD Domain controllers. Site Engine now expects a "subject alternative name" with dns name of the endpoint that is configured. We have configured our AD domain name which resolves to all domain controllers, the default certificate on the domain controllers only contains the dns hostname of the DC as a subject alternative name. Do we have to replace the certs on the DC's with one that also contains the dns name for the domain or is there another way around this?
Bye,
Evert.

 

Hi Evert.

I read it seven times but I am not sure I fully follow.

in version 23.11.10 we added the option to use the certificate in the LDAPs communication with LDAPs server. We also validate the server certificate in that case. The certificate is only used if the LDAPs server is defined with FQDN. If you configure LDAPs with IP address then the certificate is not send for LDAPs connection.

I guess your issue will be fixed if you configure your LDAPs URL with IP not with FQDN.

Sincerely yours

 

Regards Zdeněk Pala

Evert
New Contributor II

Hi Zdenek,

Thanks for the reply.
I'll give an example. We have an AD domain ad-domain.company.com with 3 DC's, dc1.ad-domain.company.com, dc2.ad-domain.company.com, etc.
In our case the DNS record for the domain (ad-domain.company.com) resolves to the ip addresses of all 3 domain controllers.

Name: ad-domain.company.com
Addresses: 172.xx.xx.31
                     172.xx.xx.33
                     172.xx.xx.32

This will result in balancing over the Domain controllers.
We configured ldaps://ad-domain.company.com:636 in the LDAP configuration in Site Engine.
The problem seems to be with the certificates on the domain controllers, they contain the dns name of the domain controller (dc1.ad-domain.company.com) as a SAN (and subject), but not the name of the AD Domain. Site engine refuses to connect if the SAN in the certificate doesn't match the configured hostname in the LDAPs URL. And it looks like it's not possible to adjust the certificate template used for the domain controllers to include the dns name of the domain as SAN.
So this upgrade breaks our LDAP configuration.
Something we can do is configure all domain controllers in the LDAP configuration.
Will site engine balance the request between the domain controllers if we do configure all domain controllers in the LDAP config?

Thank you in advance!

Bye,
Evert.

 

Hi Evert

The dynamic LDAP load balancing is not available in ExtremeControl 23.11.10.

I see the following options to explore:

  1. use multiple LDAPs configurations and based on AAA rules select conditions to use one of the LDAPs configurations. each LDAPs configuration have multiple URLs (with different priority). example: location A will use LDAPS-31 as primary and LDAPs-32 as secondary and LDAPs-33 as tertiary. Location B will use LDAPS-33 as primary and LDAPs-31 as secondary and LDAPs-32 as tertiary. Location C will use LDAPS-32 as primary and LDAPs-33 as secondary and LDAPs-31 as tertiary
  2. generate LDAPs certificate with both names: dc1.ad-domain.company.com and ad-domain.company.com
  3. generate wildcard LDAPs certificate
Regards Zdeněk Pala

Evert
New Contributor II

Hi Zdenek,

Thanks for the reply.
Option 2 looks the best.
We have generated new certificates for the domain controllers. It's not possible to change the default "Domain Contollers" template but is is possible to use a different template, so that's what we did.
We will retry the upgrade!
Maybe you can include a warning in the release notes that this new certificate inspection behaviour can break an LDAPs configuration that was working before.

Bye,
Evert.

 

GTM-P2G8KFN