Identity Management Overview

The identity management feature allows you to learn more about the users and devices (such as phones and routers) that connect to a switch. In this chapter, users and devices are collectively called identities. The Identity Management feature:

Captures identity information when users and devices connect to and disconnect from the switch.
Stores captured identity information and identity event data in a local database.
Generates EMS messages for user and device events.
Makes collected identity information available for viewing by admin-level users and to management applications through XML APIs.
Uses locally collected identity information to query an LDAP server and collect additional information about connected identities.
Supports custom configurations called roles, which are selected based on identity information collected locally and from an LDAP server.
Uses roles to enable traffic filtering, counting, and metering on ports (using ACLs and policies) in response to identity events (connections, disconnections, and time-outs).
Supports the configuration of blacklist to deny all access to an identity and whitelists to permit all access to an identity.
Supports the configuration of greylist to enable the network administrator to choose usernames whose identity is not required to be maintained. When these usernames are added to greylist, the Identity Management module does not create an identity when these users log on.
Integrates with UPM to modify the switch configuration in response to discovered identities.
Services users under different domains by allowing different domains to be configured and then associating different LDAP servers for those different domains.

Note

IDM and ONEPolicy are not supported together and it is not recommended to enable both, since handling rule/role-based actions is not supported, except to support Kerberos Authentication with NAC as a RADIUS server and can be used in conjunction with IDM XML event triggers.

Note

When using IDM commands, you should generally avoid the encrypted option. Passwords provided in commands in plain text are saved in encrypted format.