ExtremeConnect Management / IT Operations Configuration
FNT Command
The FNT Command integration offers two main functionalities:
- Mapping of patch panel information from Command to end-systems and switch ports in ExtremeCloud IQ Site Engine/Control. Data within ExtremeCloud IQ Site Engine is enriched for each end-system and offers comprehensive reporting capabilities within OneView.
- Exporting of ExtremeCloud IQ Site Engine data to FNT Command: this will export all switches, their modules, ports, GBICs and connected end-systems to Command’s ADG database.
Module Configuration
| Configuration Option | Description |
|---|---|
| Username | Username used to connect to the Command Oracle DB |
| Password | Password used to connect to the Command Oracle DB |
| ServerIP | IP Address of the Command Oracle DB |
| Server Port | TCP port of the Command Oracle DB. Default: 6201 |
| Command Service Name | The “SERVICE_NAME” to access the Oracle DB view/table called “MEDMGR.CTFL2D_SWITCH_2_OUTLET”. Refer to your Oracle DB administrator to get the service name specific to your FNT Command installation. |
| General Module Configuration | |
|---|---|
| Poll interval in seconds | The time (in seconds) the module will wait after each run. Since the data on patch field connections/locations is relatively static it often does not require updating every 60 seconds and it is recommended to increase the value for the poll interval. This will also decrease the processing load on the ExtremeCloud IQ Site Engine server. Recommendation: 3600 seconds (one time per hour) but this depends on the size of your infrastructure and your requirements. |
| Module loglevel | Verbosity of the module. Logs are stored in ExtremeCloud IQ Site Engine's server.log file. |
| Module enabled | Whether or not the module is enabled. |
| Push update to remote service | If this is set to “true”, data from other modules will be pushed to the service. |
| Update local data from remote service | If this is set to “true”, data from the remote service will be used to update the internal end-system table. |
| Default end-system group | The default end-system group name to use if it is not set dynamically. |
| Enable Data Persistence | Enabling this option will force the module to store end-system custom field and group membership data into a file after each cycle. If this option is disabled, the module will forget all data after a service restart, but in order to clean already existing data, the corresponding .dat files have to be deleted. It is important to enable this feature, especially in large environments, so that OF Connect doesn’t need a full re-sync of all data everytime you restart your ExtremeCloud IQ Site Engine server. Default: True. |
| Service Specific Configuration | |
|---|---|
| Custom field to use | The number of the custom data field for each end-system to store the data retrieved from Command. Available values are: 1, 2, 3 or 4. Default: 1. |
| Format of the incoming data | Format of the data that gets stored in the custom data field. You can chose and combine any of the available variables: outletId (ID of the patch field), outletCampus, outletBuilding, outletFloor, outletRoom. Default: #outletId# / #outletCampus# / #outletBuilding# / #outletFloor# / #outletRoom# |
| Update NAC End-Systems with Command outlet data | If set to True the module will retrieve outlet data (outlet id, room, building, etc.) and map it to the corresponding end-systems/ports in NAC |
| Command DB table name containing outlet data for NAC import | The name of the Oracle DB table that contains the Command outlet data. This is required if you enable the feature update_nac_endsystems_with_command_outlet_data so OFC knows which table to query to retrieve data about ports and their outlet data. Default: medmgr.CTFL2D_SWITCH_2_OUTLET |
| Push ExtremeCloud IQ Site Engine Devices to Command Auto-Discovery Gateway | If set to 'true' the module will push ExtremeCloud IQ Site Engine switch data (IP, firmware, type, descriptor, etc.) to Command's Auto-Discovery Gateway. The module updates the corresponding database tables. The Auto-Discovery Gateway itself manages the import of the data to Command automatically |
| Push NAC End-Systems to Command Auto-Discovery Gateway | If set to 'true' the module will push all NAC end-systems to Command's Auto-Discovery Gateway. It will then try to "connect" these end-systems to switches and ports exported from ExtremeCloud IQ Site Engine. This option is only available if the option push_netsight_devices_to_command_adg has also been enabled. The module updates the corresponding database tables. The Auto-Discovery Gateway itself manages the import of the data to Command automatically. |
| Autodiscovery Gateway DB TCP Port | The TCP port where the Autodiscovery Gateway database is running on. Default: 1521 |
| Autodiscovery Gateway DB Username | The username to connect to the Autodiscovery Gateway database. Default: command |
| Password | Password used to connect to the Autodiscovery Gateway database. Default: command |
| The Map to use when exporting ExtremeCloud IQ Site Engine/NAC data to Command's ADG | Specify the map which should be used to export ExtremeCloud IQ Site Engine (switches) and NAC (end-systems) data to ADG. The map needs to be configured correctly in order for ADG to proerply map the incoming device types to existing, well-known device types. Default: 1 |
| Automatically process ExtremeCloud IQ Site Engine data pushed to ADG | If set to 'true' the module will automatically call the AutomatedProcessomg.sh script at the end of each synchronization cycle. This will trigger the ADG to immediately import the new data from ExtremeCloud IQ Site Engine. This is currently only supported on ADG Linux installations. |
| Username to connect to the ADG server via SSH and execute automated processing script | The user name to connect to the ADG server via SSH and execute the AutomatedProcessing.sh script. Make sure the user can remotely login via SSH and has the necessary privileges to execute the script located in your tomcat folder under /webapps/command/axis/WEB-INF. This is only relevant if the option adg_enable_automated_processing has been enabled. |
| Password to connect to the ADG server via SSH and execute automated processing script | The password to connect to the ADG server via SSH and execute the AutomatedProcessing.sh script. This is only relevant if the option adg_enable_automated_processing has been enabled |
| Username for the automated processing script (Command user) | The Command user name will be provided as a parameter to the AutomatedProcessing.sh script. Make sure the user has the necessary rights within Command to perform the changes which the script triggers. This is only relevant if the option adg_enable_automated_processing has been enabled. |
| Password for the automated processing script (Command user) | The Command password will be provided as a parameter to the AutomatedProcessing.sh script. This is only relevant if the option adg_enable_automated_processing has been enabled. |
| Tenant (=Mandant) ID for the automated processing script (Command tenant) | The Command tenant (=Mandant) to use for the user provided above. This will be used as a parameter to the AutomatedProcessing.sh script. This is only relevant if the option adg_enable_automated_processing has been enabled. |
| User group ID for the automated processing script (Command user group name) | The name of the Command user group to use for the user provided above. This will be used as a parameter to the AutomatedProcessing.sh script. This is only relevant if the option adg_enable_automated_processing has been enabled. |
| Full file path on the ADG server for the script to trigger automated processing | The full file path (path and file name) of the AutomatedProcessing.sh script. This script will be triggered on the ADG server via SSH to automatically start the data import. This is only relevant if the option adg_enable_automated_processing has been enabled. Default: /usr/share/tomcat7/webapps/command/axis/WEB-INF/AutomatedProcessing.sh |
| Maximum number of end-systems per web service request to EMC | Specify the maximum number (as integer) of end-systems that Fusion will query per request from the ExtremeCloud IQ Site Engine server. This setting enables you to split large end-system queries into smaller badges. Example: There are 10.000 end-systems in ExtremeCloud IQ Site Engine/NAC. You set this max_endsystem_per_request value to 1000. Then Fusion will perform 10 calls to the ExtremeCloud IQ Site Engine API and retrieve 1000 end-systems per call. Default: 1000. |
| Timeout per web service request to EMC | Specify the timeout in seconds (as integer) for each web service call to ExtremeCloud IQ Site Engine. Since these calls are handled by the TaskScheduleHandler you need to calculate a value as follows: Take the setting for poll_interval_seconds from your TaskScheduleHandler.xml config file and add a couple of seconds for the expected time it takes for the http transaction to complete. Example: 3 seconds poll interval for the TaskScheduleHandler plus a timeout of 7 seconds for the http request to be performed --> 10 seconds. Default: 10 |
| The ID of the tenant to query Command outlet data for | Specify the Command tenant ID ("Mandant ID") which will be used to filter Command outlet data. This will help reduce the amount of data OFC has to process when importing Command outlet data and matching it to end-systems in NAC. This is only relevant if the option update_nac_endsystems_with_command_outlet_data has been enabled. |
| Default username for switch CLI access | The default username to connect to any switches' which don't have CLI credentials stored within ExtremeCloud IQ Site Engine. This username is only used if there are no CLI credentials defined for a switch in ExtremeCloud IQ Site Engine. Otherwise the ExtremeCloud IQ Site Engine CLI username takes priority. This is used to gather port optic info fromExtremeXOS/Switch Engine switches using a Telnet connection. |
| Default password for switch CLI access | The default password to connect to any switches' which don't have CLI credentials stored within ExtremeCloud IQ Site Engine. This password is only used if there are no CLI credentials defined for a switch in ExtremeCloud IQ Site Engine. Otherwise the ExtremeCloud IQ Site Engine CLI password takes priority. This is used to gather port optic info from ExtremeXOS/Switch Engine switches using a Telnet connection. |
Verification
- Login to OneView and verify the incoming data from FNT within the custom data field in the end-system table.
- Pick a few end-systems and validate that their location data in NAC’s custom field is correct according to Command data.
Glue Networks Gluware Control
The Gluware Control integration enables the option to publish Policy Domain configuration to Gluware. The policies are translated into ACL definitions that can be deployed to managed nodes of different manufacturers.
Module Configuration
The table below describes the configuration options available for the Gluware Control module (config file: GlueNetHandler.xml)
| Configuration Option | Description |
|---|---|
| Username | Username used to connect |
| Password | Password used to connect |
| Webservice URL | Webservice URL of Gluware Control |
| Company | Tenant Company Name |
| Organization | Tenant Organization Name |
| General Module Configuration | |
|---|---|
| Poll interval in seconds | The time (in seconds) the module will wait after each run. Since the data on patch field connections/locations is relatively static it often does not require updating every 60 seconds and it is recommended to increase the value for the poll interval here. This will also decrease the processing load on the ExtremeCloud IQ Site Engine server. Recommendation: 3600 seconds (one time per hour) but this depends on the size of your infrastructure and your requirements. |
| Module loglevel | Verbosity of the module. Logs are stored in ExtremeCloud IQ Site Engines server.log file. |
| Module enabled | Whether or not the module is enabled. |
| Push update to remote service | If this is set to “true”, data from other modules will be pushed to the service. |
| Update local data from remote service | If this is set to “true”, data from the remote service will be used to update the internal end-system table. |
| Default end-system group | The default end-system group name to use if it is not set dynamically. |
| Enable Data Persistence | Enabling this option will force the module to store end-system custom field and group membership data into a file after each cycle. If this option is disabled, the module will forget all data after a service restart, but in order to clean already existing data, the corresponding .dat files have to be deleted. It is important to enable this feature, especially in large environments, so that OF Connect doesn’t need a full re-sync of all data everytime you restart your ExtremeCloud IQ Site Engine. Default: True. |
| Service Specific Configuration | |
|---|---|
| Naming Convention | Only policy roles matching the naming convention format will be published (.+ for all) |
| Provision Switches | Automatically provision switches on enforce |
| Switches | Name of switch nodes to provision (seperated by ;) |
The module will publish every policy domain to Gluware Control that has a matching jboACL object name. (i.e. to publish “Default Policy Domain”, create a new jboACL with the name “Default Policy Domain”).
After the data was published, the description of the ACL will be changed to “Created by Extreme Connect” and contain an Access List for every policy role present in the policy domain.
Note: Support for policy rules depends on the underlying switch hardware. Gluware Control only supports L3-L4 IP policy rules with Accept and Deny actions and only those will be published from the policy domain.
Cisco ACL Support in NAC Manager
Please see ExtremeCloud IQ Site Engine and ExtremeControl - Cisco Switch Integration Guide.
Verification
- Login to Gluware Control and select Domain Objects > jboAcls.
- Select the ACL that matches the policy domain in ExtremeCloud IQ Site Engine and verify that the Access Lists match with the policy roles.
- ACLs are published automatically, but you can deploy to switches manually if automatic provisioning is not enabled.
To verify the configuration on a switch:
- Select Nodes > lanSwitch and connect to the desired switch.
- In addition to present default ACLs, Gluware will create one ACL matching the Policy Role in name with all rules below it. The rule precedence matches with the default precedence found in Extreme Control.
Microsoft System Center Configuration Manager (SCCM)
The Microsoft SCCM integration is a one-way integration offering end-system data retrieval from SCCM on managed devices. This data enriches each end-system data set within ExtremeCloud IQ Site Engine and offers comprehensive reporting capabilities.
Note: The SCCM server requires an adapter agent to be installed and configured prior to enabling the corresponding module within Extreme Connect. The adapter file is provided by Extreme Networks.
Module Configuration
The table below describes the configuration options available for the SCCM OFConnect module (config file: SCCMHandler.xml)
| Service Configuration | Description |
|---|---|
| Adapter IP | IP Address of the SCCM adapter |
| Adapter Port | Port where the SCCM adapter is listening on |
| Pre-Shared Key | The pre-shared key used to communicate with the SCCM adapter |
| General Module Configuration | |
|---|---|
| Poll interval in seconds | Number of seconds between connections to the adapter running on the SCCM server. |
| Module loglevel | Verbosity of the module. Logs are stored inExtremeCloud IQ Site Engine's server.log file. |
| Module enabled | Whether or not the module is enabled. |
| Update local data from remote service | If this is set to “true”, data from the remote service will be used to update the internal end-system table. |
| Default endsystem group | The default end-system group name in NAC to assign all MAC addresses found in SCCM. Use a non-existing group name if you don’t want this module to assign all SCCM MAC addresses into any NAC end-system group. |
| Enable Data Persistence | Enabling this option will force the module to store end-system and end-system group data to a file after each cycle. If this option is disabled, the module will forget all data after a service restart, but in order to clean already existing data, the corresponding .dat files have to be deleted. |
| Service Specific Configuration | |
|---|---|
| Custom field to use | The custom field in ExtremeCloud IQ Site Engine to update the information for end-systems retrieved from the adapter running on the SCCM server (valid values: 1-4). |
| Format of the incoming data | The format of the data which is received from the adapter running on the SCCM server and written to the custom field. Syntax example: Netbios Name=#netbiosName#; User=#lastLogonUserDomain#\#lastLogonUser#; OS=#operatingSystem# (#servicePack#); Manufacturer=#computerManufacturer# Model=#computerModel# Available Variables: path, mac, netbiosName, lastLogonUserDomain, lastLogonUser, operatingSystem, servicePack, computerManufacturer, computerModel |
| Overwrite the existing username with the one acquired from SCCM | If set to "true" the username retrieved from SCCM will overwrite the username that is already in NAC. If no username could be retrieved from SCCM for a given end-system, then no change is performed in NAC. Be aware that this might mess up existing NAC processes if you are already retrieving and using the username through some other mechanism like 802.1X or Kerberos snooping → this will be overwritten. |
| Overwrite the existing device type with the one acquired from SCCM | If set to "true" the device type (Windows operating system) retrieved from SCCM will overwrite the device type which is already in NAC. If no operating system could be retrieved from SCCM for a given end-system, then no change is performed in NAC. Be aware that this might mess up existing NAC processes if you are already retrieving and using the device type through some other mechanism like DHCP snooping → this will be overwritten. But in most cases this feature should improve your current method (at least for Windows machines managed by SCCM) since the quality of the information retrieved from SCCM is usually very good. |
Adapter Installation
ExtremeConnect is retrieving data from an SCCM server using an adapter. This adapter needs to be installed and configured prior to enabling the corresponding module within ExtremeConnect. The adapter basically consists of a Java executable file (.jar) and a configuration file. There is currently no dedicated installer for the adapter so it’s recommended that you follow these steps in order to install the adapter manually:
On the SCCM server:
- Create a user account which the Extreme Networks adapter should use to access data on the SCCM server.
- Install the latest Java Runtime Environment.
- One the SSCM server, create a dedicated folder (example: C:\Program Files\Extreme Networks\SCCM Adapter) and copy the two files: FUSION_SCCM_ADAPTER_<version>.jar and FUSION_SCCM _ADAPTER.config) into it.
- Start the adapter by selecting the file FUSION_SCCM _ADAPTER.jar or running it within a shell using “java –jar FUSION_SCCM _ADAPTER.jar”. AProvide at least the following access rights to this user account:
- Verify the log file which should have been created in the same folder, where the jar file is located.
- Make sure that the adapter is automatically started when the Windows Server starts up.
Adapter Configuration
The table below lists the configuration options for the SCCM agent.
| Configuration Option | Description |
|---|---|
| LOG_LEVEL | Set the log level of the adapter to one of the following values: ERROR, WARN or DEBUG. If not set, the default will be WARN. |
| IP | IP address for the web service (=agent) to listen on |
| PORT | TCP Port for the web service to listen on - must NOT be used by any other application on this server! |
| SCCM_SERVER | The DNS name of the Configuration Manager server to connect to. So far this has only been tested with this adapter and the SCCM server running on the same server although remote connections might work as well. |
| SCCM_SITE_CODE | The name of the 'Site' to connect to within Configuration Manager. Example: SCCM_SITE_CODE=mysite |
| SLEEP_INTERVAL | Set the sleep interval in seconds - the main adapter will update all computer data from SCCM and then sleep for these many seconds before running the next update to retrieve the latest data. |
| PRE_SHARED_KEY | The pre-shared key used for the communication between the adapter and OFConnect. This must match the key entered when installing the OFConnect Hyper-V module |
| IS_PRE_SHARED_KEY_ENCRYPTED | If set to 'false' the adapter assumes that the 'PRE_SHARED_KEY' configured above is not encrypted - on the first start the adapter will automatically encrypt the key and set this value to 'true'. If you want to change this key at a later stage, change the key above, set this value back to 'false' and restart the adapter service |
Verification
To verify that the data on Windows-based end-systems could be retrieved from SCCM:
- Check the custom field within NAC’s end-system table and make sure you see info on data like the netbios name, user name, detailed operating system info, etc.
- If enabled, you will also see a more detailed operating system information within the Device Type column.
- If enabled, you will also see the last logged on use information within the Username column.
Aruba ClearPass
The Aruba ClearPass integration is a one-way integration offering end-system data retrieval from ClearPass. ClearPass end-systems will be created and updated within ExtremeCloud IQ Site Engine. That end-system data can then be synced to Extreme Analytics and thus be mapped to flow data (username, device type, policy profile).
Note
Mapping end-system data from ClearPass to flow data within Extreme Analytics requires a correctly configured IP resolution within ClearPass since the mapping is done based on the end-system’s IP address.
Module Configuration
The table below describes the configuration options available for the Aruba ClearPass module (config file: ArubaClearpassHandler.xml)
| Service Configuration | Description |
|---|---|
| Server | IP Address of the Aruba ClearPass server |
| Port | Port of the Aruba ClearPass server API service – usually 443 |
| Access-Token |
5. Select “Create API Client”
|
| General Module Configuration | |
|---|---|
| Poll interval in seconds | Number of seconds between connections to the Aruba ClearPass server. |
| Module loglevel | Verbosity of the module. Logs are stored in ExtremeCloud IQ Site Engine's server.log file. |
| Module enabled | Whether or not the module is enabled. |
| Update local data from remote service | If this is set to “true”, data from the remote service will be used to update the internal end-system table. |
| Default endsystem group | The default end-system group name in NAC to assign all MAC addresses found in ClearPass. Use a non-existing group name if you don’t want this module to assign all ClearPass MAC addresses into any NAC end-system group. |
| Enable Data Persistence | Enabling this option will force the module to store end-system and end-system group data to a file after each cycle. If this option is disabled, the module will forget all data after a service restart, but in order to clean already existing data, the corresponding .dat files have to be deleted. |
| Service Specific Configuration | |
|---|---|
| Custom field to use | The custom field within ExtremeCloud IQ Site Engine to update the information for end-systems retrieved from ClearPass (valid values: 1-4). |
| Format of the incoming data |
Format of the data that gets stored in the custom data field: updatedAt=#updatedAt#, roles=#roles#
ipAddress, user, domain, spt, deviceCategory, deviceFamily,deviceName, online, updatedAt, roles |
| HTTP socket timeout in seconds (Clearpass API) | HTTP socket timeout in seconds for all HTTP connection sockets to the Clearpass API. Enables the http client to timeout the established connection if there is no response from the ClearPass server after the configure amount of seconds |
| Enable device type overwrite | Enable this to use the device family/type retrieved from ClearPass to overwrite the device family/type in Extreme Access Control |
| End-system group for decommissioned Clearpass end-points | If an end-point gets deleted from Clearpass its corresponding end-system will be pushed to this end-system group |
| Remove end-systems from other groups on decommission | Enable this to remove a device from all other groups when it is moved to the decommission group |
| Delete custom data in Extreme Management Center or decommissioned devices | If an end-point gets deleted from Clearpass the corresponding end-system's custom data field in ExtremeCloud IQ Site Engine will be cleared |
| EMC Server | Hostname or IP of the ExtremeCloud IQ Site Engine server. Needed to import Clearpass end-points. |
| EMC Port | HTTPS port of the ExtremeCloud IQ Site Engine service. Default: 8443 |
| EMC Username | Username to connect to the ExtremeCloud IQ Site Engine server. |
| EMC Password | Password to connect to the ExtremeCloud IQ Site Engine server. |
Configure NAC + Analytics Integration
Ensure to enable the feature that exchanges EAC data with flow data:
Verification
The end-system data from ClearPass will be visible within the ExtremeCloud IQ Site Engine end-system list and the Analytics flow data.
Within the end-system table you should see data on all ClearPass end-systems within the configured custom field:
Plus usernames and device types if available through ClearPass.
As soon as you update the user and device type fields for ClearPass sourced end-systems in ExtremeCloud IQ Site Engine the information in the Analytics “Application Flows” tab displays as well:
ExtremeCloud IQ Site Engine Fields Updated
The following end-system table fields in ExtremeCloud IQ Site Engine are updated by the Aruba Clearpass integration:
- ipAddress
- user
- domain
- spt
- deviceCategory
- deviceFamily
- deviceName
- online
- updatedAt
- roles