Showing results for 
Search instead for 
Did you mean: 

XCC Control CoA

XCC Control CoA

New Contributor

Dear all,

I am trying to create a scenario where users are blocked depending on their memberOf attribute on an LDAP.


Initially all users are enabled on a generic LDAP group let's call it "allow_all".

An administrator will be able to move users to another group called "blocked".


Is it possible to have the XCC Control monitor this memberOf change every X seconds/minutes and if matched issue a CoA through the RADIUS interface to the AP for disconnecting the user or moving him to a different VLAN with no internet access?


Thank you


New Contributor

Hello, Yes it's possible. You can configure XCC Control to periodically poll the LDAP server for changes in the memberOf attribute. If a user is detected as being moved to the "blocked" group, XCC Control can then send a CoA (Change of Authorization) request through the RADIUS interface to the AP, either disconnecting the user or moving them to a different VLAN without internet access.  Home Depot MyTHDHR



Extreme Employee

I would say, in my opinion you have few options. One is simple, the rest are quite sophisticated.

1. Use dot1x reauthentication on switches - configure wanted reauth period and switches will reauthenticate dot1x sessions periodically. When user group membership change in the meantime, Extreme Control will change authorization profile. It has one drawback though - each dot1x session will be reauthenticated periodically, no matter if anything changes or not.

2.  Use API and workflows. Draft idea would be to create workflow which you can run periodically. Workflow could use API to fetch NAC authenticated sessions, then it could poll LDAP, and if group membership changes then send API call to NAC to reauthenticate particular session. 

3. Use self developed script or program which would somehow piggyback LDAP and will react on membership changes. Such program could then send API calls to Control, first to fetch MAC of user for whom membership changed, seconddly to reauthenticate user's MAC.