configure identity-management blacklist
Adds or deletes an entry in the identity manager blacklist.
Adds the specified identity to the blacklist.
Deletes the specified identity from the blacklist.
Specifies that all identities are to be deleted from the blacklist. This option is available only when the delete attribute is specified.
Specifies an identity by MAC address.
Specifies a MAC address mask. For example: FF:FF:FF:00:00:00.
Specifies an identity by IP address.
Specifies a mask for the specified IP address.
Specifies an IP network mask.
specifies an identity by user name.
The software supports up to 512 entries in the blacklist. When you add an identity to the blacklist, the switch searches the whitelist for the same identity. If the identity is already in the whitelist, the switch displays an error.
It is possible to configure an identity in both lists by specifying different attributes in each list. For example, you can add an identity username to the blacklist and add the MAC address for that user‘s laptop in the whitelist. Because the blacklist has priority over the whitelist, the username is denied access to the switch from all locations.
Reviews the identities already known to the switch. If the new blacklist entry is an identity known on the switch, all existing ACLs (based on user roles or whitelist configuration) for the identity are removed.
When a blacklisted MAC-based identity is detected or already known, a Deny All ACL is programmed for the identity MAC address for the port on which the identity is detected.
When a blacklisted IP-based identity is detected or already known, a Deny All ACL is programmed for the identity IP address for the port on which the identity is detected.
The ACL for blacklisted MAC and IP addresses precedes any ACLs based on user names (including Kerberos snooping) that may have been previously configured on the port. This ensures that a Kerberos exchange cannot complete when initiated for blacklisted identities.
Reviews the identities already known to the switch. If the new blacklist entry is an identity known on the switch, a Deny All ACL is programmed for the identity MAC address on all ports to which the identity is connected.
When a new blacklisted username-based identity accesses the switch, a Deny All ACL is programmed for the identity MAC address on the port on which the identity was detected.
The ACL for a blacklisted username follows any ACLs based on Kerberos snooping. This ensures that a Kerberos exchange for another user can complete when initiated from the same MAC address.
Identity manager programs ingress ACLs. Blacklisted devices can receive traffic from the network, but they cannot send traffic into the network.
Deny All ACLs for blacklisted entries exist as long as the identity remains in the identity manager database.
Removes the Deny All ACL from the port to which the identity connected.
Initiates the role determination procedure for the switch port to which the known identity connected. This ensures that the appropriate role is applied to the identity that is no longer blacklisted.
The role determination process can trigger an LDAP refresh to collect identity attributes for role determination.
The following command adds a MAC address to the blacklist:
* Switch.4 # configure identity-management blacklist add mac 00:01:05:00:03:18
The following command deletes a user name from the blacklist:
* Switch.5 # configure identity-management blacklist delete user firstname.lastname@example.org
This command was first available in ExtremeXOS 12.7.
This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.