This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XCC Control CoA

XCC Control CoA

kbetsis
New Contributor

‎03-16-2023 07:04 AM

Dear all,

I am trying to create a scenario where users are blocked depending on their memberOf attribute on an LDAP.

 

Initially all users are enabled on a generic LDAP group let's call it "allow_all".

An administrator will be able to move users to another group called "blocked".

 

Is it possible to have the XCC Control monitor this memberOf change every X seconds/minutes and if matched issue a CoA through the RADIUS interface to the AP for disconnecting the user or moving him to a different VLAN with no internet access?

 

Thank you

0 Kudos
2 REPLIES 2

Aimeehooper
New Contributor

‎08-22-2023 09:52 PM - edited ‎08-22-2023 09:54 PM

Hello, Yes it's possible. You can configure XCC Control to periodically poll the LDAP server for changes in the memberOf attribute. If a user is detected as being moved to the "blocked" group, XCC Control can then send a CoA (Change of Authorization) request through the RADIUS interface to the AP, either disconnecting the user or moving them to a different VLAN without internet access.  Home Depot MyTHDHR

Thanks

MyTHDHR
0 Kudos

Adam_Minowski
Extreme Employee

‎07-27-2023 12:00 AM

I would say, in my opinion you have few options. One is simple, the rest are quite sophisticated.

1. Use dot1x reauthentication on switches - configure wanted reauth period and switches will reauthenticate dot1x sessions periodically. When user group membership change in the meantime, Extreme Control will change authorization profile. It has one drawback though - each dot1x session will be reauthenticated periodically, no matter if anything changes or not.

2.  Use API and workflows. Draft idea would be to create workflow which you can run periodically. Workflow could use API to fetch NAC authenticated sessions, then it could poll LDAP, and if group membership changes then send API call to NAC to reauthenticate particular session. 

3. Use self developed script or program which would somehow piggyback LDAP and will react on membership changes. Such program could then send API calls to Control, first to fetch MAC of user for whom membership changed, seconddly to reauthenticate user's MAC.

https://emc.extremenetworks.com/content/oneview/docs/connect/docs/netsight_device_web_service/nac_en... 

0 Kudos
GTM-P2G8KFN