This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeControl
- Authenticated registration: remove MAC when user l...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Authenticated registration: remove MAC when user leaves company
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-27-2021 02:15 PM
Hi all,
We are planning to set up authenticated registration for BYOD devices. Users will log in on the portal using their LDAP credentials to register the MAC addresses of their BYOD device(s).
As far as I know, registering a device actually adds it’s MAC address to a pre-defined End-System Groups.
When this devices accesses the network, it will authenticate using it’s MAC address.
We can configure an expiration timer after which the user needs to re-register the device(s), but we want to know if there is a way to automatically disable network access for these registered devices (=delete MAC from the end-system group) when a user leaves the company - i.e when the AD acccount is locked/disabled/deleted.
Another solution would be to have an expiration timer, which takes the last active time into account, so the MAC gets deleted if the device was not active for X days.
Is this possible?
Thanks!
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-27-2021 02:46 PM
Hello,
there is no direct feedback from the AD into the NAC.
The expiration timer may not help here either. This is valid for all MAC addresses. I.e. if this is set to 10 days then not only the MACs that are in the group for BYOD are deleted but also e.g. the MACs of the colleagues who are currently on vacation.
But you can delete users and MACs via the NBI-API. Therefore you could create a API call in an arbitrary programming language that is triggered automatically or manually when a user is deleted in AD to delete the MAC in the XMC database.
Regards
Stephan
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-27-2021 02:54 PM
Stephan,
That was where I was afraid for.
If really needed, the API could indeed be an option.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-27-2021 02:46 PM
Hello,
there is no direct feedback from the AD into the NAC.
The expiration timer may not help here either. This is valid for all MAC addresses. I.e. if this is set to 10 days then not only the MACs that are in the group for BYOD are deleted but also e.g. the MACs of the colleagues who are currently on vacation.
But you can delete users and MACs via the NBI-API. Therefore you could create a API call in an arbitrary programming language that is triggered automatically or manually when a user is deleted in AD to delete the MAC in the XMC database.
Regards
Stephan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-27-2021 02:41 PM
Hi Brian,
Thanks for the quick reply. I completely forgot about that setting, thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-27-2021 02:34 PM
You can do this part in XMC/Administration/options/Access Control/Data Persistence. Under Age End-Systems you can set the number of days if a device hasn’t talked to nac it will be deleted. By default I believe it is set to 90 days.
