Adds or deletes an identity in the identity manager whitelist.
add |
Adds the specified identity to the whitelist. |
delete |
Deletes the specified identity from the whitelist. |
all |
Specifies that all identities are to be deleted from the whitelist. This option is available only when the delete attribute is specified. |
mac_address |
Specifies an identity by MAC address. |
macmask |
Specifies a MAC address mask. For example: FF:FF:FF:00:00:00. |
ip_address |
Specifies an identity by IP address. |
netmask |
Specifies a mask for the specified IP address. |
ipNetmask |
Specifies an IP network mask. |
user_name |
Specifies an identity by user name. |
N/A.
The software supports up to 512 entries in the whitelist. When you add an identity to the whitelist, the switch searches the blacklist for the same identity. If the identity is already in the blacklist, the switch displays an error.
It is possible to configure an identity in both lists by specifying different attributes in each list. For example, you can add an identity username to the whitelist and add the MAC address for that user‘s laptop in the blacklist. Because the blacklist has priority over the whitelist, identity access is denied from the user‘s laptop, but the user can access the switch from other locations.
Reviews the identities already known to the switch. If the new whitelist entry is blacklisted (by specifying a different identity attribute), no action is taken.
If the identity is not blacklisted and is known on the switch, all existing ACL (Access Control List)s for the identity are removed.
When a whitelisted MAC-based identity is detected or already known, an Allow All ACL is programmed for the identity MAC address for the port on which the identity is detected.
When a whitelisted IP-based identity is detected or already known, an Allow All ACL is programmed for the identity IP address for the port on which the identity is detected.
Reviews the identities already known to the switch. If the new whitelist entry is an identity known on the switch, an Allow All ACL is programmed for the identity MAC address on all ports to which the identity is connected.
When a new whitelisted username-based identity accesses the switch, an Allow All ACL is programmed for the identity MAC address on the port on which the identity is detected.
The ACL for a whitelisted username follows any ACLs based on Kerberos snooping.
Allow All ACLs for whitelisted entries exist as long as the identity remains in the identity manager database.
Removes the Allow All ACL from the port to which the identity connected.
Note
The role determination process can trigger an LDAP refresh to collect identity attributes for role determination.
The following command adds an IP address to the whitelist:
* Switch.4 # configure identity-management whitelist add ip 10.0.0.1
The following command deletes a user name from the whitelist:
* Switch.5 # configure identity-management whitelist delete user john
This command was first available in ExtremeXOS 12.7.
This command is available on the Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X440-G2, X620, X690, X870 series switches.