configure identity-management blacklist

configure identity-management blacklist add [mac mac_address {macmask} | ip ip_address {netmask} | ipNetmask] | user user_name] configure identity-management blacklist delete [all | mac mac_address {macmask} | ip ip_address {netmask} | ipNetmask] | user user_name]

Description

Adds or deletes an entry in the identity manager blacklist.

Syntax Description

add

Adds the specified identity to the blacklist.

delete

Deletes the specified identity from the blacklist.

all

Specifies that all identities are to be deleted from the blacklist. This option is available only when the delete attribute is specified.

mac_address

Specifies an identity by MAC address.

macmask

Specifies a MAC address mask. For example: FF:FF:FF:00:00:00.

ip_address

Specifies an identity by IP address.

netmask

Specifies a mask for the specified IP address.

ipNetmask

Specifies an IP network mask.

user_name

specifies an identity by user name.

Default

N/A.

Usage Guidelines

The software supports up to 512 entries in the blacklist. When you add an identity to the blacklist, the switch searches the whitelist for the same identity. If the identity is already in the whitelist, the switch displays an error.

It is possible to configure an identity in both lists by specifying different attributes in each list. For example, you can add an identity username to the blacklist and add the MAC address for that user‘s laptop in the whitelist. Because the blacklist has priority over the whitelist, the username is denied access to the switch from all locations.

If you add a new blacklist entry that is qualified by a MAC or IP address, the identity manager does the following:
  • Reviews the identities already known to the switch. If the new blacklist entry is an identity known on the switch, all existing ACLs (based on user roles or whitelist configuration) for the identity are removed.

  • When a blacklisted MAC-based identity is detected or already known, a Deny All ACL is programmed for the identity MAC address for the port on which the identity is detected.

  • When a blacklisted IP-based identity is detected or already known, a Deny All ACL is programmed for the identity IP address for the port on which the identity is detected.

  • The ACL for blacklisted MAC and IP addresses precedes any ACLs based on user names (including Kerberos snooping) that may have been previously configured on the port. This ensures that a Kerberos exchange cannot complete when initiated for blacklisted identities.

If you add a new blacklist entry that is qualified by a username (with or without a domain name), the identity manager does the following:
  • Reviews the identities already known to the switch. If the new blacklist entry is an identity known on the switch, a Deny All ACL is programmed for the identity MAC address on all ports to which the identity is connected.

  • When a new blacklisted username-based identity accesses the switch, a Deny All ACL is programmed for the identity MAC address on the port on which the identity was detected.

  • The ACL for a blacklisted username follows any ACLs based on Kerberos snooping. This ensures that a Kerberos exchange for another user can complete when initiated from the same MAC address.
    Note

    Note

    Identity manager programs ingress ACLs. Blacklisted devices can receive traffic from the network, but they cannot send traffic into the network.

Deny All ACLs for blacklisted entries exist as long as the identity remains in the identity manager database.

If you delete an identity from the blacklist, identity manager checks to see if the identity is in the local database. If the identity is known to the switch, the switch does the following:
  • Removes the Deny All ACL from the port to which the identity connected.

  • Initiates the role determination procedure for the switch port to which the known identity connected. This ensures that the appropriate role is applied to the identity that is no longer blacklisted.
    Note

    Note

    The role determination process can trigger an LDAP refresh to collect identity attributes for role determination.

Example

The following command adds a MAC address to the blacklist:

* Switch.4 # configure identity-management blacklist add mac 00:01:05:00:03:18

The following command deletes a user name from the blacklist:

* Switch.5 # configure identity-management blacklist delete user bill_jacob@b.com

History

This command was first available in ExtremeXOS 12.7.

Platform Availability

This command is available on all Universal switches supported in this document.