Deploying an Identity Aware Network

Recommendations

Info

Extreme Networks Application NoteExecution Information:2 # enable cli scripting3 # configure cli mode non-persistent4 # set var EVENT.NAME LOG _ MESSAGE5 # set var EVENT.LOG _ FILTER _ NAME “kerberosevents”6 # set var EVENT.LOG _ DATE “04/07/2010”7 # set var EVENT.LOG _ TIME “00:45:23.97”8 # set var EVENT.LOG _ COMPONENT _ SUBCOMPONENT “IdMgr”9 # set var EVENT.LOG _ EVENT “RecvKerberosTrig”10 # set var EVENT.LOG _ SEVERITY “Debug-Verbose”11 # set var EVENT.LOG _ MESSAGE “Kerberos %0% trigger for %1%@%2%/%3%/%4%/%5%,IP %7%, NB host ‘%6%’”12 # set var EVENT.LOG _ PARAM _ 0 “Discover”13 # set var EVENT.LOG _ PARAM _ 1 “john _ smith”14 # set var EVENT.LOG _ PARAM _ 2 “PRIMECORP”15 # set var EVENT.LOG _ PARAM _ 3 “00:11:43:BF:6A:D0”16 # set var EVENT.LOG _ PARAM _ 4 “1:2”17 # set var EVENT.LOG _ PARAM _ 5 “1000014”18 # set var EVENT.LOG _ PARAM _ 6 “JS-PERSONAL”19 # set var EVENT.LOG _ PARAM _ 7 “4.4.4.175”20 # set var EVENT.PROFILE unauth-hostnames21 # enable cli scripting22 # configure cli mode non-persistent23 # if (!$match($EVENT.LOG _ EVENT,RecvKerberosTrig)) then24 # if ($match($EVENT.LOG _ PARAM _ 6,PRIMECORP) <= 9) then25 # create access-list block _ computer _ $EVENT.LOG _ PARAM _ 6 “ethernet-source-address$EVENT.LOG _ PARAM _ 3 “ “deny ;count unauthorized _ devices”26 # configure access-list add block _ computer _ $EVENT.LOG _ PARAM _ 6 first ports$EVENT.LOG _ PARAM _ 4done!27 # endif28 # endif--------------------------------------------------------------------------------Number of UPM Events in Queue for execution: 0* Slot-1 Stack.287 # show access-list dynamicDynamic Rules: ((*)- Rule is non-permanent )(*)block _ computer _ JS-PERSONAL(*)hclag _ arp _ 2 _ 4 _ 96 _ 27 _ 7b _ d6LAG(*)idmgmt _ ks _ tcp _ dst(*)idmgmt _ ks _ tcp _ src(*)idmgmt _ ks _ udp _ dst(*)idmgmt _ ks _ udp _ srcBound to 1 interfaces for application CliBound to 0 interfaces for application HealthCheck-Bound to 1 interfaces for application IdentityManagerBound to 1 interfaces for application IdentityManagerBound to 1 interfaces for application IdentityManagerBound to 1 interfaces for application IdentityManager* Slot-1 Stack.288 # show access-list dynamic rule “block _ computer _ JS-PERSONAL”entry block _ computer _ JS-PERSONAL {if match all {ethernet-source-address 00:11:43:BF:6A:D0 ;} then {deny ;count unauthorized _ devices ;} }© 2010 Extreme Networks, Inc. All rights reserved. Identity Aware Network—Page 64
Extreme Networks Application Note* Slot-1 Stack.289 # show access-list dynamic counterVlan Name Port DirectionCounter Name Packet Count Byte Count==================================================================* 1:2 ingressunauthorized _ devices 95.3.3. UPM Script: Isolate Unauthorized DevicesIn this section, we will use a sample script to:A. Identify unauthorized devices using the NetBIOS hostname.B. Isolate/Move the port (on which the device was discovered) to a custom VLAN called “unauthvlan”.5.3.3.1. Profile DefinitionThe sample script used to move the port to a custom VLAN is given below:* Slot-1 Stack.121 # show configuration “upm”## Module upm configuration.#create upm profile unauth-hostnamesset var DISCOVERED _ VLAN corpset var UNAUTH _ VLAN unauthvlanenable cli scriptingconfigure cli mode non-persistentif (!$match($EVENT.LOG _ EVENT,RecvKerberosTrig)) thenif ($match($EVENT.LOG _ PARAM _ 6,PRIMECORP) <= 9) thenconfigure vlan $DISCOVERED _ VLAN delete ports $EVENT.LOG _ PARAM _ 4configure vlan $UNAUTH _ VLAN add ports $EVENT.LOG _ PARAM _ 4endifendif.5.3.3.2. Verifying Profile Triggers and Results of the ScriptThe following commands can be used to verify the UPM script execution, and the results:* Slot-1 Stack.117 # show upm history--------------------------------------------------------------------------------Exec Event/ Profile Port Status Time LaunchedId Timer/ Log filter--------------------------------------------------------------------------------3 Log-Message(kerberos unauth-hostname --- Pass 2010-04-07 01:39:23--------------------------------------------------------------------------------Number of UPM Events in Queue for execution: 0* Slot-1 Stack.118 # show upm history detailUPM Profile: unauth-hostnamesEvent: Log-Message(kerberosevents)Profile Execution start time: 2010-04-07 01:39:23Profile Execution Finish time: 2010-04-07 01:39:23Execution Identifier: 3 Execution Status: Pass© 2010 Extreme Networks, Inc. All rights reserved. Identity Aware Network—Page 65
Page 1 and 2:
Extreme Networks Application NoteDe
Page 3 and 4:
Extreme Networks Application NoteTa
Page 5 and 6:
Extreme Networks Application Note3.
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Extreme Networks Application Noteco
Page 13 and 14: Extreme Networks Application NoteSt
Page 21 and 22: Extreme Networks Application Note4.
Page 31 and 32: Extreme Networks Application NoteTh
Page 35 and 36: Extreme Networks Application Note©
Page 39 and 40: Extreme Networks Application NoteDe
Page 59 and 60: Extreme Networks Application Note<r
Page 61 and 62: Extreme Networks Application Note<c
Page 63: Extreme Networks Application NoteBe
Page 67 and 68: Extreme Networks Application NoteTo
show all

Deploying an Identity Aware Network

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?