This command allows you to configure the precedence of list types. You must specify the list-names in the desired order of precedence. Listname1 will take precedence of all lists (i.e., highest precedence). Listname2 will take precedence over Listname3. When the user/device logs in, entries present in Listname1 will be searched at first to find matching role. Entries present in Listname2 will be searched after Listname1 and entries in Listname3 will be searched at last.
listname1 | Specifies the list type which has precedence over all list types. |
listname2 | Specifies the list type which has next precedence, after listname1. |
listname3 | Specifies the list type which has least precedence of all. |
greylist, blacklist, whitelist
By default, greylist entries have higher precedence over blacklist and whitelist entries.
This means that IDM consults with greylist first upon detection of user, and then decides if identity needs to be created. If there is a greylist entry matching the incoming username, user identity is not created. If there is no matching greylist entry, IDM proceeds with role identification for the user. However, greylist precedence is configurable. Following are three possibilities for greylist precedence configuration.
1. greylist, blacklist, whitelist
2. blacklist, greylist, whitelist
3. blacklist, whitelist, greylist
It is important to notice that blackist always has higher precedence over whitelist for EXOS 15.1.2. In order to change the list precedence, Identity Management should be disabled first. Disabling IDM is required since there may be many users/devices already mapped to some roles and policies/ACLs applied. Considering the processing load of unmapping the roles and removing policies, changing precedence isn't allowed when IDM is enabled. When precedence configuration is changed, each entry present in the list with lower precedence (new precedence) is checked with each entry present in all the lists with higher precedence.
The following example instructs that blacklist has precedence over all lists. Greylist has precedence over whitelist. Whitelist has least precedence.
configure identity-management list-precedence blacklist greylist whitelist
This command was first available in ExtremeXOS 15.1.
This command is available on the Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X440-G2, X620, X690, X870 series switches.