Deploying an Identity Aware Network
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Extreme Networks Application Note
5.3. Integration with Universal Port Manager (UPM)
Universal Port is a flexible framework that enables automatic switch configuration in response to Event Management
System (EMS) event messages generated by the identity-manager process. Please refer to “Chapter 6: Universal Port” in the
document ExtremeXOS Concepts Guide for more details on the feature and how it can be leveraged to automate switch
configuration. In this section, we will discuss methods by which events generated by the “idMgr” process can be used as
triggers to run Universal Port Manager (UPM) profiles in specific scenarios.
5.3.1. Edge Switch Configuration
The Event Management System in ExtremeXOS will have to be configured to create a filter that defines the event and a
profile that runs when the event occurs. The following configuration achieves the goals required to trigger a UPM profile for
Kerberos events. Note that for the purpose of illustration, we have only include one event (RecvKerberosTrig) amongst
many generated by the process.
* Slot-1 Stack.123 # show configuration “ems”
#
# Module ems configuration.
#
enable log debug-mode
create log filter kerberosevents
configure log filter DefaultFilter add events IdMgr severity debug-verbose
configure log filter kerberosevents add events IdMgr.RecvKerberosTrig
create log target upm unauth-hostnames
enable log target upm unauth-hostnames
configure log target upm unauth-hostnames filter kerberosevents severity Debug-Verbose
configure log target upm unauth-hostnames match Any
In the configuration show above, we have added a filter called “kerberosevents” to identity events that can be used to
trigger the UPM profile “unauth-hostnames”. The goal of the UPM profile “unauth-hostnames” is to identify means by which
unauthorized computers and laptops when plugged into the PRIMECORP enterprise network are identified, and are either
blocked or isolated.
5.3.2. UPM Script: Block Traffic from Unauthorized Devices
In this section, we will use a sample script to:
A. Identify unauthorized devices using the NetBIOS hostname: Prime Corporation uses a naming scheme to identify the
hosts managed in the network (For e.g. PRIMECORP-workstaion-1, PRIMECORP-laptop-1, and so on.). Any computer
that does not use the string “PRIMECORP” in the beginning of the hostname is identified an unauthorized host.
B. Block all traffic originating from the unauthorized devices: The MAC address of the device is used in an access-control
list to match (source address match) and subsequently deny any traffic.
5.3.2.1. Profile Definition
The EMS event IdMgr.RecvKerberosTrig provides the following information in the form of variables which we will use in
the UPM script. Note that the table below lists only the variables that have been used in the script, while in reality many
other parameters are available for use.
Table 6:
EVENT.LOG_EVENT
EVENT.LOG_PARAM_3
EVENT.LOG_PARAM_4
EVENT.LOG_PARAM_6
Identifies the event name (in this case “RecvKerberosTrig”)
MAC address of the device
Port on which the device was discovered
NetBIOS Hostname of the device
© 2010 Extreme Networks, Inc. All rights reserved. Identity Aware Network—Page 62