Identity Management Overview
The identity management feature allows you to learn more about the
users and devices (such as phones and routers) that connect to a switch. In this
chapter, users and devices are collectively called identities
. The Identity Management feature:
- Captures identity information when users and devices connect
to and disconnect from the switch.
- Stores captured identity information and identity event data
in a local database.
- Generates EMS messages for user and device events.
- Makes collected identity information available for viewing
by admin-level users and to management applications such as Extreme Management
Center or Ridgeline through XML APIs.
- Uses locally collected identity information to query an LDAP
server and collect additional information about connected identities.
- Supports custom configurations called roles, which are selected based on identity
information collected locally and from an LDAP server.
- Uses roles to enable traffic filtering, counting, and
metering on ports (using ACLs and policies) in response to identity events
(connections, disconnections, and time-outs).
- Supports the configuration of blacklist to deny all access
to an identity and whitelists to permit all access to an identity.
- Supports the configuration of greylist to enable the network
administrator to choose usernames whose identity is not required to be
maintained. When these usernames are added to greylist, the Identity Management
module does not create an identity when these users log on.
- Integrates with UPM to modify the switch configuration in
response to discovered identities.
- Services users under different domains by allowing different
domains to be configured and then associating different LDAP servers for those
IDM and ONEPolicy are not supported together and it is
not recommended to enable both, since handling rule/role-based actions is not
supported, except to support Kerberos Authentication with NAC as a RADIUS server and
can be used in conjunction with IDM XML event triggers.
This chapter discusses identity management features
that are managed using the switch CLI. Related features are described in other chapters
and in the Extreme Management Center and Ridgeline product documentation. For a
description of identity management that ties all the related components together, see
the application note titled Deploying an Identity Aware
, which is available from the Extreme Networks website
When using IDM commands, you should generally avoid the encrypted
option. Passwords provided in commands in plain text are saved in encrypted