Deploying an Identity Aware Network

Recommendations

Info

Extreme Networks Application Note5.3. Integration with Universal Port Manager (UPM)Universal Port is a flexible framework that enables automatic switch configuration in response to Event ManagementSystem (EMS) event messages generated by the identity-manager process. Please refer to “Chapter 6: Universal Port” in thedocument ExtremeXOS Concepts Guide for more details on the feature and how it can be leveraged to automate switchconfiguration. In this section, we will discuss methods by which events generated by the “idMgr” process can be used astriggers to run Universal Port Manager (UPM) profiles in specific scenarios.5.3.1. Edge Switch ConfigurationThe Event Management System in ExtremeXOS will have to be configured to create a filter that defines the event and aprofile that runs when the event occurs. The following configuration achieves the goals required to trigger a UPM profile forKerberos events. Note that for the purpose of illustration, we have only include one event (RecvKerberosTrig) amongstmany generated by the process.* Slot-1 Stack.123 # show configuration “ems”## Module ems configuration.#enable log debug-modecreate log filter kerberoseventsconfigure log filter DefaultFilter add events IdMgr severity debug-verboseconfigure log filter kerberosevents add events IdMgr.RecvKerberosTrigcreate log target upm unauth-hostnamesenable log target upm unauth-hostnamesconfigure log target upm unauth-hostnames filter kerberosevents severity Debug-Verboseconfigure log target upm unauth-hostnames match AnyIn the configuration show above, we have added a filter called “kerberosevents” to identity events that can be used totrigger the UPM profile “unauth-hostnames”. The goal of the UPM profile “unauth-hostnames” is to identify means by whichunauthorized computers and laptops when plugged into the PRIMECORP enterprise network are identified, and are eitherblocked or isolated.5.3.2. UPM Script: Block Traffic from Unauthorized DevicesIn this section, we will use a sample script to:A. Identify unauthorized devices using the NetBIOS hostname: Prime Corporation uses a naming scheme to identify thehosts managed in the network (For e.g. PRIMECORP-workstaion-1, PRIMECORP-laptop-1, and so on.). Any computerthat does not use the string “PRIMECORP” in the beginning of the hostname is identified an unauthorized host.B. Block all traffic originating from the unauthorized devices: The MAC address of the device is used in an access-controllist to match (source address match) and subsequently deny any traffic.5.3.2.1. Profile DefinitionThe EMS event IdMgr.RecvKerberosTrig provides the following information in the form of variables which we will use inthe UPM script. Note that the table below lists only the variables that have been used in the script, while in reality manyother parameters are available for use.Table 6:EVENT.LOG_EVENTEVENT.LOG_PARAM_3EVENT.LOG_PARAM_4EVENT.LOG_PARAM_6Identifies the event name (in this case “RecvKerberosTrig”)MAC address of the devicePort on which the device was discoveredNetBIOS Hostname of the device© 2010 Extreme Networks, Inc. All rights reserved. Identity Aware Network—Page 62
Extreme Networks Application NoteBelow is the sample script used to block all traffic originating from the device.* Slot-1 Stack.290 # show configuration “upm”## Module upm configuration.#create upm profile unauth-hostnamesenable cli scriptingconfigure cli mode non-persistentif (!$match($EVENT.LOG _ EVENT,RecvKerberosTrig)) thenif ($match($EVENT.LOG _ PARAM _ 6,PRIMECORP) <= 9) thencreate access-list block _ computer _ $EVENT.LOG _ PARAM _ 6 “ethernet-source-address$EVENT.LOG _ PARAM _ 3 “ “deny ;count unauthorized _ devices”configure access-list add block _ computer _ $EVENT.LOG _ PARAM _ 6 first ports $EVENT.LOG _ PARAM _ 4endifendif.5.3.2.2. Verifying Profile Triggers and Results of the ScriptWhen the device is discovered via Kerberos snooping, the following information will be available in the EMS logs.* Slot-1 Stack.284 # show log chronological04/07/2010 00:45:23.97 <Verb:IdMgr.RecvKerberosTrig> Slot-1: Kerberos Discover trigger forjohn _ smith@PRIMECORP/00:11:43:BF:6A:D0/1:2/1000014, IP 4.4.4.175, NB host “JS-PERSONAL”04/07/2010 00:45:23.97 <Info:IdMgr.ReauthId> Slot-1: Identity “PRIMECORP\john _ smith” with MAC00:11:43:BF:6A:D0, auth method netloginMac, reauthenticated on port 1:204/07/2010 00:45:23.98 <Noti:UPM.Msg.upmMsgExshLaunch> Slot-1: Launched profile unauth-hostnamesfor the event log-messageNOTESFrom the events, that, the IdMgr.RecvKerberosTrig event contains the MAC address (00:11:43:BF:6A:D0) of the device, Port (1:2) onwhich it was discovered, and the NetBIOS hostname (JS-PERSONAL) which was snooped from the Kerberos packets. Further, it isimportant to note that the UPM profile “unauth-hostnames” was executed/launched for the even log-message.The following commands provide the status of execution of the UPM scripts:* Slot-1 Stack.285 # show upm history--------------------------------------------------------------------------------Exec Event/ Profile Port Status Time LaunchedId Timer/ Log filter--------------------------------------------------------------------------------16 Log-Message(kerberos unauth-hostname --- Pass 2010-04-07 00:45:23--------------------------------------------------------------------------------Number of UPM Events in Queue for execution: 0* Slot-1 Stack.286 # show upm history detailUPM Profile: unauth-hostnamesEvent: Log-Message(kerberosevents)Profile Execution start time: 2010-04-07 00:45:23Profile Execution Finish time: 2010-04-07 00:45:24Execution Identifier: 16 Execution Status: Pass© 2010 Extreme Networks, Inc. All rights reserved. Identity Aware Network—Page 63
Page 1 and 2:
Extreme Networks Application NoteDe
Page 3 and 4:
Extreme Networks Application NoteTa
Page 5 and 6:
Extreme Networks Application Note3.
Page 7 and 8:
Page 9 and 10:
Page 11 and 12: Extreme Networks Application Noteco
Page 13 and 14: Extreme Networks Application NoteSt
Page 21 and 22: Extreme Networks Application Note4.
Page 31 and 32: Extreme Networks Application NoteTh
Page 35 and 36: Extreme Networks Application Note©
Page 39 and 40: Extreme Networks Application NoteDe
Page 59 and 60: Extreme Networks Application Note<r
Page 61: Extreme Networks Application Note<c
Page 65 and 66: Extreme Networks Application Note*
Page 67 and 68: Extreme Networks Application NoteTo
show all

Deploying an Identity Aware Network

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?