configure identity-management whitelist

configure identity-management whitelist add [mac mac_address {macmask} | ip ip_address {netmask} | ipNetmask] | user user_name]configure identity-management whitelist delete [all | mac mac_address {macmask} | ip ip_address {netmask} | ipNetmask] | user user_name]

Description

Adds or deletes an identity in the identity manager whitelist.

Syntax Description

add

Adds the specified identity to the whitelist.

delete

Deletes the specified identity from the whitelist.

all

Specifies that all identities are to be deleted from the whitelist. This option is available only when the delete attribute is specified.

mac_address

Specifies an identity by MAC address.

macmask

Specifies a MAC address mask. For example: FF:FF:FF:00:00:00.

ip_address

Specifies an identity by IP address.

netmask

Specifies a mask for the specified IP address.

ipNetmask

Specifies an IP network mask.

user_name

Specifies an identity by user name.

Default

N/A.

Usage Guidelines

The software supports up to 512 entries in the whitelist. When you add an identity to the whitelist, the switch searches the blacklist for the same identity. If the identity is already in the blacklist, the switch displays an error.

It is possible to configure an identity in both lists by specifying different attributes in each list. For example, you can add an identity username to the whitelist and add the MAC address for that user‘s laptop in the blacklist. Because the blacklist has priority over the whitelist, identity access is denied from the user‘s laptop, but the user can access the switch from other locations.

If you add a new whitelist entry that is qualified by a MAC or IP address, the identity manager does the following:
  • Reviews the identities already known to the switch. If the new whitelist entry is blacklisted (by specifying a different identity attribute), no action is taken.

  • If the identity is not blacklisted and is known on the switch, all existing ACLs for the identity are removed.

  • When a whitelisted MAC-based identity is detected or already known, an Allow All ACL is programmed for the identity MAC address for the port on which the identity is detected.

  • When a whitelisted IP-based identity is detected or already known, an Allow All ACL is programmed for the identity IP address for the port on which the identity is detected.

If you add a new whitelist entry that is qualified by a username (with or without a domain name), the identity manager does the following:
  • Reviews the identities already known to the switch. If the new whitelist entry is an identity known on the switch, an Allow All ACL is programmed for the identity MAC address on all ports to which the identity is connected.

  • When a new whitelisted username-based identity accesses the switch, an Allow All ACL is programmed for the identity MAC address on the port on which the identity is detected.

  • The ACL for a whitelisted username follows any ACLs based on Kerberos snooping.

Allow All ACLs for whitelisted entries exist as long as the identity remains in the identity manager database.

If you delete an identity from the whitelist, identity manager checks to see if the identity is in the local database. If the identity is known to the switch, the switch does the following:
  • Removes the Allow All ACL from the port to which the identity connected.

  • Initiates the role determination procedure for the switch port to which the known identity connected. This ensures that the appropriate role is applied to the identity that is no longer whitelisted.
    Note

    Note

    The role determination process can trigger an LDAP refresh to collect identity attributes for role determination.

Example

The following command adds an IP address to the whitelist:

* Switch.4 # configure identity-management whitelist add ip 10.0.0.1

The following command deletes a user name from the whitelist:

* Switch.5 # configure identity-management whitelist delete user john

History

This command was first available in ExtremeXOS 12.7.

Platform Availability

This command is available on all Universal switches supported in this document.