ExtremeCloud IQ- Site Engine & Extreme Management Center

 Extreme Control Rule and AD

Jump to Best Answer
Ian Broadway's profile image
Ian Broadway posted 09-29-2020 14:52

Hi All,

 

I am trying to create Extreme Control rule sets for MAC and .1x authentication.

Is there not a way I can add a group condition to query a LDAP/AD Domain group?

I can see there is an option for LDAP user groups.

 

Also, do Extreme offer some sort of downloadable config for updating DHCP fingerprints.

Its really tedious to have to go in and add lines of code to add custom fingerprints, not to mention having to hunt through a log file to get them in the first place.

 

One other thing, any ideas/thoughts on being able to add if/or conditions into the same rule?

Thanks

Ian

Ian Broadway's profile image
Ian Broadway

ok, just read 8.5 release notes, alot more functionality for DHCP fingerprinting.

other concerns still stand though if anyone has any thoughts please.

Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA

Ian,

 

  1. Yes you can create a condition to trigger a rule based on an LDAP group
    1. https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Match-NAC-LDAP-Lookup-To-Active-Directory-Windows-Security-Group
    2. https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-authorise-Windows-domain-user-computer-using-802-1x-and-LDAP-lookups-to-ensure-the-user-AND-computer-is-in-the-domain-denying-access-to-users-with-valid-domain-credentials-on-BYOD-devices
    3. an others articles
  2. I don’t know for the DHCP fingerprint tool
  3. You can add if/or at different levels
    1. In the group definition
      1. in the policy mappings (a Location Group lookup will trigger the return values)

Regards

 

Mig

 

Stefan K.'s profile image
Stefan K.

Hi Ian,

of course there is! :)

This user group is used in a NAC-Rule to allow the CLI-Access to network switches for the configured AD-Group (which is censored in the screen).

Can of course also used in combination with MAC and Dot1x Auth.

Edit: Dang, much too slow.

Ian Broadway's profile image
Ian Broadway

are you able to use an attribute that isnt returned by the device used for testing the connection?

 

I picked my host for example of which I know what domain groups it belongs to.

 

is it just a memberof attribute you can use? or can you use something else?

 

I tried to reference a rule with a memberof attribute and tested on a specific client to which i took the value knowing that client is in that AD group and then specifically tried to get that client to match but it never did. 

 

Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA

Ian,

You can use any attribute refering the object in the AD.

Your missed test is probably a syntax isue.

Here an example for the memberOf attribute

 

If you want to use another attribute, just change the name of the attribute

Mig

 

Ian Broadway's profile image
Ian Broadway

we have a group for Domain computers, when I browse AD i can see my host is a member of 3 groups, one being Domain Computers.

 

I want to use this group to reference as a memberOf attribute in the LDAP host group and then use this as a condition in the rule.

 

when I test my host it only reports back the other two groups under the memberOf attribute.

 

I’ve asked my AD guys if they can think of why it doesn't report the Domain Computers back as a value, see below;

 

 

doesnt report the Domain Computers value. They’re all security groups.

 

I’m told the account used in the LDAP config has read access to the Domain, perhaps this is not enough?

Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA
Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA
Ian Broadway's profile image
Ian Broadway

Thank you, i’ll ask the AD guys to check the account permissions for the account used for the LDAP config.

Zdenek Pala's profile image
Zdenek Pala

Hi,

for some rule components you have “OR” and “AND” already:

 

regarding the DHCP fingerprinting, here is a new GitHub repository. Feel free to contribute :)

 

PeterK's profile image
PeterK

I think the problem of Ian ist, that Extreme Control does not support checking ldap attributes of nested group memberships.

You can only check ldap attributes where the account is direct assigned

Zdenek Pala's profile image
Zdenek Pala

If Nested Groups are used then you need to add each nested group to the list and use mode “Match Any”. I saw a customer automated this task through API calls.

PeterK's profile image
PeterK

Of course, but this is only a dirty workaround and not a solution. I hope Extreme will support this in the future.

Ian Broadway's profile image
Ian Broadway

Its not a nested group actually but if im honest anything that makes the integration better is a win for sure, its a global security group that sits in an OU along with other security groups. It does not belong to other groups.

Its the group all domain joined PCs/Laptops become a member of when joined to the domain.

the other groups i referenced above are also part of the same OU yet the host only reports the memberOf attributes of the other two groups, not the domain computers one. 

Still waiting on the permissions check with the account used in the LDAP config.

 

Will let you know if this solves it.

Ian Broadway's profile image
Ian Broadway

Yep looks like it could well be an account issue as getting this error on the Appliance

2020-10-01 15:58:41,919 ERROR [com.enterasys.tesNb.server.freeradius.files.SambaInstallationManager] (EnforceHandler - Off Thread Notify Listeners0:) Failed to join domain: "removed" for user: "removed" with error code: 255
        ADS join did not work, falling back to RPC...
        Failed to join domain: User specified does not have administrator privileges
        Failed to join domain: failed to find DC for domain “removed” - {Operation Failed} The requested operation was unsuccessful.
 

Ian Broadway's profile image
Ian Broadway

So is there a way you can make the conditions in a rule be or conditions?

At the moment any conditions in the rule all have to be matched?

For example I have a rule for Medical devices. I would like it so that if Fingerprinting determines its  “medical device” it will hit this rule or if its part of a certain vlan/subnet to which I know for a fact is solely for medical devices

 

or do i have to have multiple rules to be able to capture this behaviour?

Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA

Ian,

 

A workaround could be to define a new devicegroup including all the fingerprints you are looking for and match this group.

Mig

Ian Broadway's profile image
Ian Broadway

thats fine but the issue is the manual process of adding fingerprints.

some things on the Medical subnet might not be classed as a medical device based on the default fingerprints, hence the reason to reference the multiple conditions in a rule.

 

would be ideal if the invert option was alongside an or and an and statement.

Ian Broadway's profile image
Ian Broadway

ok, so back on topic, as a test, the account used to join the EAC appliances to the domain/used in the ldap configuration was given full domain admin rights. 

 

When testing it still couldnt see the host device return the memberof attribute for the “domain computers” group. it worked for all other member groups as mentioned in an earlier host.

 

any ideas?

Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA

Ian,

 

Do you test with the test button on the LDAP config screen?

Could you share your config with a screen shot?

Mig

Ian Broadway's profile image
Ian Broadway

Yep using the test function, what config do you want to see?

Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA

The LDAP config you use for the host

Ian Broadway's profile image
Ian Broadway

 

Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA

Ian

 

There is a way to configure the NAC for host authentication that doesn’t seems obvious but needs to be followed.

You must create an LDAP connection for user authentication and one for computer authentication.

For the computer authentication (almost copy of the user one) you must use “servicePrincipalName” as “user search attribute”  because the computer is in fact doing a “user authentication” with his own credentials.

You’ll have to adapt you AAA authentication rules to send computer authentications (host/*.ldap.domain)to the “computers ldap”

 

Check this for the config and let me know:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-authorise-Windows-domain-user-computer-using-802-1x-and-LDAP-lookups-to-ensure-the-user-AND-computer-is-in-the-domain-denying-access-to-users-with-valid-domain-credentials-on-BYOD-devices/

Mig

Stefan K.'s profile image
Stefan K.

Hi guys,

just a short question on this topic. When using 802.1x computer authentication the user coloumn in ExtremeControl is populated with host\computername.domain.tld

Is there any way to additionally check for the user that is logged on the computer? I want to use the client certificate to authenticate and the user to authorise based on the users AD Groups.

BR
Stefan

PeterK's profile image
PeterK

You need to configure this in the 802.1x supplicant in windows. The default is afaik computer-account. But you can also choose computer and/or computer account. When a user logs in, the identiti switches from computer account to user account.

Stefan K.'s profile image
Stefan K.

Thanks, will test this out! :) 

StephanH's profile image
StephanH

Hello Stefan,

here you can see how to configure Windows for  Computer or/and User authentication with EAP. This is the basis for the mentiond KB article from Mig.

 

https://extremeportal.force.com/ExtrArticleDetail?an=000080814&q=nuc%20802.1x%20ldap%20user%20

 

Regards

Stephan

Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA

Stefan,

 

With a script from (https://github.com/extremenetworks/ExtremeScripting/blob/master/Netsight/oneview_workflows/combo/UserAndComputer/Clear_old_End-Systems_in_the_group-8.3.1.9v5.xwf?raw=true) you can mix both authentications to ensure that the user authentication is done on a computer from the domain:

"Add MAC to Domain Computers" is executed when the computer authenticates. The MAC address is added to End-System and the timestamp is created (updated). Consequent User authentication can be combined with the condition of the End-System group. "Clear old End-Systems in the group" checks if the timestamp is older than X hours and old End-Systems are deleted from the group.

 

Mig

Zdenek Pala's profile image
Zdenek Pala

Both mentioned workflows are available at the GitHub

Ian Broadway's profile image
Ian Broadway

Ok so it says to just use the object category to specify if its a domain machine or not.

thats works for me i think, ill give it a go.

 

I have created the two ldap profiles as advised in the guide, will see how it goes.

SDR's profile image
SDR

Hello,

 

i tried to follow you discussion - I failed however.

Maybe it´s even not the problem, I´m facing.

 

Customer just wants to authenticate its computers according to the fact, the computer being an AD-member.

We tried to create an end-system group (which will be verified in a rule), however we do not know, how to configure the end-system group to check the AD.

How is this to be configured? What string to be entered where?

Or is there NO chance to do it “easily”, just with scripting (as mentioned here)

 

Rgds. scripting: I have NO clue what and where to do with such scripts… :-(

 

Thank you !   

PeterK's profile image
PeterK

You only need to read and follow the links of the 2nd post in this thread.

SDR's profile image
SDR

Hi Peter,

 

thank you. 

We started with Host-authentication, which fails with 

Auth-Type 802.1x (PEAP)

Reason: Rejected NTLM authentication

 

Can you assist with this, too? NAC issue or windows/nic configuration issue (however, we followed all available guides) :-(

PeterK's profile image
PeterK

Did you join the AD with the control engine / nac gateway?

Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA

Hi SDR,

Could you share some screenshots from the config evaluation tool?

Usually you can get a lot of answers from there.

Mig

 

SDR's profile image
SDR

 

I think so - We followed the guides + all test-Scenarios (search within AD) were successfull.

However the Test with Client failed.

What we are wondereing about, too, is the fact, that Control shows the machine-name “host/whatever.domain.de” NOT under “Hostname” but under “Username”. 

SDR's profile image
SDR

Hi Miguel,

 

we are not onsite anymore + have no Remote Access. Will be onsite tomorrow morning again.

We made several test, also with the Eval-Tool.

I´m not 100% sure, but almost, that there is NO issue shown with this configuration using the Eval Tool.

I tend to an existing client/windows issue, but i have no idea why + where.

I will check eval-tool tomorrow again.

BR 

Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA

SDR,

 

That’s normal.

You do a “computer authentication” but the computer is doing an authentication with his own “username”.

The username and password are from the AD computer account.

The rules you are going to build must take this into account. You must match a “username” for a computer.

Here an example from a running system:

 

Mig

SDR's profile image
SDR

OK - so we don´t have to worry about the “username” anymore.

Regards the Rule: That´s how we configure it.

Rule Authentication “802.1x” (not with “(PEAP)” - I assume that we use the superior level this way” ,

validating the existance of “user” in the endsystems-group (configured and tested according the documentation Peter advised me, using Profile “assign my vlan”….

SDR's profile image
SDR

Hi all,

 

Unfortunately I can only make photos, no screenshots (not my client).

See below.

TESTING the “username = host/….” within the LDAP-configurator test-function and the Config-Eval-Toole is successful, however.

 

 

Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA

Hi SDR,

 

This seems to be the server certificate validation in the windows client.

In the 802.1X parameters on the Windows PC can you disable the server certificate validation?

The alternative is to add the root certificate corresponding to the radius certificate to the windows client.

Also ensure to perform only computer authentication, the default is user.computer authentication.

Regards

Mig

SDR's profile image
SDR

Hi Mig,

 

it WAS the server certificate validation in the windows client.

Thanks for this hint.

So, now, the machine successfully authenticates with NAC.

According to the documents linked above, there should be an additional authentication, when an AD user logs in.

But this does not work. We configured everything from scratch this morning. After the machine has be authenticated successfully, no further authentication takes place, when the user logs in the client.

 

:-(

 

 

Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA

Hi SDR,

 

For this behavior you must configure the 802.1X authentication to work as “computer or user” authentication.

When nobody is logged on, the computer auth will be done.

When a user logs on the user auth will be triggered.

Mig

SDR's profile image
SDR

Hi Mig,

 

your support is so valueble - Thank you!

Although configured correct yesterday somone changed the setting.

Now User authentication starts - fails however!

 

We have configured the rules according to the documents.

  1. Machine login
  2. Machine + User auth
  3. Non domain machine

Machine boots, Rule 1)  Machine login works successful

User logs in, Rule 2) Machine + User auth fails 

 

Evaluation Tool resulst;

User logs in,

Rule 1) fails due to “USER….does not have LDAP attributes….in LDAP USER group xyz

AND

Rule 2) fails due to “HOST….does not have LDAP attributes….in LDAP HOST group xyz

Rule 3) Non-domain machine  is the one, that “succeeds”.

 

 

Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA

SDR,

I don’t know what rules are implemented.

Can you share a screen of them?

It would be good to open another thread as this one is supposed to be closed.

Mig

SDR's profile image
SDR

to be continued…. :-((