Identity Management Overview
The identity management feature allows you to learn more about the
users and devices (such as phones and routers) that connect to a switch. In this
chapter, users and devices are collectively called
identities. The Identity Management feature:
- Captures identity information when users and devices connect
to and disconnect from the switch.
- Stores captured identity information and identity event data
in a local database.
- Generates EMS messages for user and device events.
- Makes collected identity
information available for viewing by admin-level users and to management
applications through XML
APIs.
- Uses locally collected identity information to query an LDAP
server and collect additional information about connected identities.
- Supports custom configurations called roles, which are selected based on identity
information collected locally and from an LDAP server.
- Uses roles to enable traffic filtering, counting, and
metering on ports (using ACLs and policies) in response to identity events
(connections, disconnections, and time-outs).
- Supports the configuration of blacklist to deny all access
to an identity and whitelists to permit all access to an identity.
- Supports the configuration of greylist to enable the network
administrator to choose usernames whose identity is not required to be
maintained. When these usernames are added to greylist, the Identity Management
module does not create an identity when these users log on.
- Integrates with UPM to modify the switch configuration in
response to discovered identities.
- Services users under different domains by allowing different
domains to be configured and then associating different LDAP servers for those
different domains.
Note
IDM and ONEPolicy are not supported together and it is
not recommended to enable both, since handling rule/role-based actions is not
supported, except to support Kerberos Authentication with NAC as a RADIUS server and
can be used in conjunction with IDM XML event triggers.
Note
When using IDM commands, you should generally avoid the
encrypted
option. Passwords provided in commands in plain text are saved in encrypted
format.