Deploying an Identity Aware Network
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Extreme Networks Application Note
Execution Information:
2 # enable cli scripting
3 # configure cli mode non-persistent
4 # set var EVENT.NAME LOG _ MESSAGE
5 # set var EVENT.LOG _ FILTER _ NAME “kerberosevents”
6 # set var EVENT.LOG _ DATE “04/07/2010”
7 # set var EVENT.LOG _ TIME “00:45:23.97”
8 # set var EVENT.LOG _ COMPONENT _ SUBCOMPONENT “IdMgr”
9 # set var EVENT.LOG _ EVENT “RecvKerberosTrig”
10 # set var EVENT.LOG _ SEVERITY “Debug-Verbose”
11 # set var EVENT.LOG _ MESSAGE “Kerberos %0% trigger for %1%@%2%/%3%/%4%/%5%,
IP %7%, NB host ‘%6%’”
12 # set var EVENT.LOG _ PARAM _ 0 “Discover”
13 # set var EVENT.LOG _ PARAM _ 1 “john _ smith”
14 # set var EVENT.LOG _ PARAM _ 2 “PRIMECORP”
15 # set var EVENT.LOG _ PARAM _ 3 “00:11:43:BF:6A:D0”
16 # set var EVENT.LOG _ PARAM _ 4 “1:2”
17 # set var EVENT.LOG _ PARAM _ 5 “1000014”
18 # set var EVENT.LOG _ PARAM _ 6 “JS-PERSONAL”
19 # set var EVENT.LOG _ PARAM _ 7 “4.4.4.175”
20 # set var EVENT.PROFILE unauth-hostnames
21 # enable cli scripting
22 # configure cli mode non-persistent
23 # if (!$match($EVENT.LOG _ EVENT,RecvKerberosTrig)) then
24 # if ($match($EVENT.LOG _ PARAM _ 6,PRIMECORP) <= 9) then
25 # create access-list block _ computer _ $EVENT.LOG _ PARAM _ 6 “ethernet-source-address
$EVENT.LOG _ PARAM _ 3 “ “deny ;count unauthorized _ devices”
26 # configure access-list add block _ computer _ $EVENT.LOG _ PARAM _ 6 first ports
$EVENT.LOG _ PARAM _ 4
done!
27 # endif
28 # endif
--------------------------------------------------------------------------------
Number of UPM Events in Queue for execution: 0
* Slot-1 Stack.287 # show access-list dynamic
Dynamic Rules: ((*)- Rule is non-permanent )
(*)block _ computer _ JS-PERSONAL
(*)hclag _ arp _ 2 _ 4 _ 96 _ 27 _ 7b _ d6
LAG
(*)idmgmt _ ks _ tcp _ dst
(*)idmgmt _ ks _ tcp _ src
(*)idmgmt _ ks _ udp _ dst
(*)idmgmt _ ks _ udp _ src
Bound to 1 interfaces for application Cli
Bound to 0 interfaces for application HealthCheck-
Bound to 1 interfaces for application IdentityManager
Bound to 1 interfaces for application IdentityManager
Bound to 1 interfaces for application IdentityManager
Bound to 1 interfaces for application IdentityManager
* Slot-1 Stack.288 # show access-list dynamic rule “block _ computer _ JS-PERSONAL”
entry block _ computer _ JS-PERSONAL {
if match all {
ethernet-source-address 00:11:43:BF:6A:D0 ;
} then {
deny ;
count unauthorized _ devices ;
} }
© 2010 Extreme Networks, Inc. All rights reserved. Identity Aware Network—Page 64