configure identity-management greylist

configure identity-management greylist add user username identity-management greylist delete [all | user username]

Description

This command enables a network administrator to choose usernames whose identity is not required to be maintained. These user names are added to greylist. Identity Management module does not create an identity when greylist users log in.

Syntax Description

username

Specifies an identity by user name.

Default

N/A.

Usage Guidelines

The software supports up to 512 entries in greylist. Administrator can configure username as part of greylist. When such configuration takes place, identity manager takes following action.
  • Checks if the same entry is present in blacklist/whitelist. If yes, command is rejected with appropriate error message.

  • Checks if this entry is ineffective because of existing entries in blacklist/whitelist. During this check, precedence of greylist is also taken into account.
    • E.g: New entry being configured into greylist is: Richard@corp. Assume blacklist has higher precedence and it has an entry "Richard". In this case, new entry is ineffective and the configuration is rejected giving the details.

  • If no conflict is found, greylist is updated.

  • IDM checks if any existing identity matches the new entry in greylist. If match is found, location/identity will be deleted and unknown identity is created with the same MAC.

If greylist user is the only user logged into the device, unknown identity is created and user is kept in unauthenticated role. However if actual user is present along with greylist user, no additional policy is applied for greylist user. Greylist user will get access permissions same as that of actual user logged in.

When user deletes an entry from greylist, identity manager will:

1. Delete the entry and updates the list.

2. User identity is constructed based on NetLogin details, if deleted username is found in NetLogin authenticated user database.

Example

The following command adds an username to the greylist:

configure identity-management greylist add user Richard@corp

The following command deletes an username from the greylist:

configure identity-management greylist del user Richard@corp

History

This command was first available in ExtremeXOS 15.1.

Platform Availability

This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, X670-G2, X690, X695, X870, 5320, 5420, and 5520 series switches.