Use the End-Systems tab to view end-system connection information for a single ExtremeControl engine, all ExtremeControl engines, or all the engines in an engine group, depending on what you select in the left-panel tree. You can also monitor end-system events and view the health results from an end-system's assessment.
The End-Systems tab is available from the Control tab. You can also access the tab by selecting a single ExtremeControl engine, the All Engines folder, or an engine group in the left-panel tree, then selecting the End-Systems tab in the right panel. Selecting a single engine or engine group displays only the end-systems accessing the network via the selected engines.
Use the table options and tools to
filter, sort, and customize table settings. Access the options by selecting the down arrow in the right corner of any column header.
End-Systems
This table displays the last known connection state for each end-system that has attempted connection.
- State
- The end-system's connection state:
- Scan — The end-system is currently being scanned.
- Accept — The end-system is granted access with either the Accept policy or the attributes returned from the RADIUS server.
- Quarantine — The end-system is quarantined because the assessment failed.
- Reject — The end-system was rejected because the assigned ExtremeControl profile was set to Reject, the MAC Locking test failed, or the RADIUS server was reachable but rejected the authentication request.
- Disconnected — All sessions for the end-system are disconnected. This state is only applicable for end-systems connected to switches that have RADIUS accounting enabled.
- Error — Indicates one of nine problems:
- the MAC to IP resolution failed, if assessment is enabled
- the MAC to IP resolution timed out, if assessment is enabled
- all RADIUS servers are unreachable
- the RADIUS request was non-compliant
- all assessment servers are unavailable
- the assessment server can't reach the end-system
- no assessment servers are configured
- the assessment server is not compatible with the current version of ExtremeControl
- the username and password configured in the Assessment Server panel of the ExtremeControl options (Administration > Options > ExtremeControl > Assessment Server) are incorrect for the assessment server.
- Last Seen
- The last time the end-system was seen by the ExtremeControl engine.
Note: The End-Systems table is sorted by the Last Seen Time by default. Sorting using any other column will automatically pause the table to allow sorting on those columns (except the OUI Vendor and Switch Nickname columns - these columns cannot be sorted). Reverting to a Live view will revert back to the "Last Seen Time" sort, in descending order.
- MAC Address
- The end-system's MAC address. MAC addresses can be displayed as a full MAC address or with a MAC OUI (Organizational Unique Identifier) prefix. If the MAC address of the end system belongs to an administratively assigned range (randomized MAC), then the MAC is displayed in italic font.
- Switch IP
- The IP address of the switch to which the end-system is connected. If the end-system is connected to an ExtremeControl Controller engine, this is the ExtremeControl Controller PEP (Policy Enforcement Point) IP address.
- Switch Nickname
- An alternate name for the switch.
NOTE: Configure the nickname on the Device Annotation tab in the Configure Device window.
- Switch Port
- The port alias (if defined) followed by the switch port number to which the end-system connected. If the
end-system is connected to a Layer 2 ExtremeControl Controller engine, this is the ExtremeControl
Controller PEP (Policy Enforcement Point) port. However, for Layer 3 ExtremeControl
Controller engines, this column is blank.
- If you add or update the port alias on the switch, you must enforce the ExtremeControl engine in order for the new information to be displayed in the End-Systems table.
- If you don't want the port alias displayed, remove the PORT_DESCRIPTION_FORMAT variable from the /opt/nac/server/config/config.properties file. If this variable is removed, only the switch port number is displayed.
- Policy
- The name of the ExtremeControl policy role assigned to the end-system when it connected to the network.
- Authorization
- The attributes returned by the RADIUS server for this end-system. If the end-system is connected to a switch that supports multi-authentication, then this column may not reflect the actual active policy for the authenticated user. For Layer 3 ExtremeControl Controller engines, this column displays the policy assigned to the end-system for its authorization.
- Risk
- The overall risk level assigned to the end-system based on the health result of
the scan:
- Red — High Risk
- Orange — Medium Risk
- Yellow — Low Risk
- Green — No Risk
- Gray — Unknown
- Profile
- The name of the ExtremeControl profile assigned to the end-system when it connected to the network.
- Reason
- Provides information about the reason the ExtremeControl profile is assigned to the end-system.
- Authentication Type
- Identifies the latest authentication method used by the end-system to connect to the network. (For Layer 3 ExtremeControl Controller engines, this column displays "IP.")
- State Description
- This column provides more details about the end-system state. For example, if the end-system's connection state is Reject, this column might list the RADIUS server (primary or secondary) that rejected the authentication request.
- Extended State
- Provides the reasons why the end-system is in its particular connection state. It gives you an idea as to why a certain policy was applied to the end-system or why the end-system was rejected.
- Engine Group
- This column is only displayed if you have multiple engine groups. It displays what engine group the ExtremeControl engine was in when the end-system event was generated. For example, if the engine was in Engine Group A when an end-system connected, but then later the engine was moved to Engine Group B, this column would still list Engine Group A for that end-system's entry.
- RFC3580 VLAN
- For end-systems connected to RFC 3580-enabled switches, this is the RFC3580 VLAN ID assigned to the end-system.
- Score
- The total sum of the scores for all the health details that were included as part of the quarantine decision.
- Actual Score
- The actual score is what the total score would be if all the health details including those marked Informational and Warning were included in the score.
- Switch Location
- The physical location of the switch to which the end-system connected. If the end-system is connected to an ExtremeControl Controller engine, this is the ExtremeControl Controller PEP (Policy Enforcement Point) location.
- All Authentication Types
- This column displays all the authentication methods the end-system has used to authenticate. The authentication types are listed in order of precedence from highest to lowest: Switch Quarantine, 802.1X, CHAP, PAP, Kerberos, MAC, CEP, RADIUS Snooping, Auto Tracking. View details about each authentication session (such as the ExtremeControl profile that was assigned to the end-system for each authentication type) in the End-System Events tab.
- Last Scan Result
- The last scan result assigned to the end-system: Scan, Accept, Quarantine, Reject, Error. This is the state assigned to the end-system as a result of the last completed scan. This typically matches the end-system State if scanning is currently enabled and has been performed recently.
- NAP Capable
- Indicates whether the end-system is Microsoft NAP (Network Access Protection) capable: Yes or No
- Custom
- Use this column to add additional information about the end-system. To add or edit custom information, right-click on the table
and select Edit Custom Information. You can add information for up
to four Custom columns. The columns for Custom 2, Custom 3, and Custom 4
are hidden by default. To display these columns, select the down arrow to the right of the
table header and select Columns > Column 2, Column 3, or Column 4.
NOTE: Change the name of the Custom columns in the ExtremeControl options.
- Registered Email
- The registered email address supplied by the end-user during the registration process.
- Registered Phone
- The registered phone number supplied by the end-user during the registration process.
- Sponsor
- The registered user's sponsor, if sponsorship is enabled.
- Registration Description
- The device description supplied by the end user during the registration process.
- Group 1-3
- Displays the names of up to three end-system and/or user groups to which the end-system belongs.
- Zone
- Displays the end-system zone to which the end-system is assigned.
- Source
- Displays the origin of the end-system in the network:
-
- Access Controlengine — An Access Control engine.
- Wireless Manager — An ExtremeWireless Controller or AP.
- ExtremeXOS/Switch Engine ID Manager — An Extreme switch running ExtremeXOS/Switch Engine with the Identify Manager feature configured to send events to ExtremeCloud IQ Site Engine.
- OneFabric Connect — An ExtremeConnect module (e.g. Solutions Architecture and Innovation (SAI) integration)
- One Controller — The Extreme SDN Controller.
- Certificate URI
- The URL portion of the Subject Alternative Name when 802.1X EAP-TLS is used. This field is hidden by default.
Actions
| TIP: | These actions are also available from the right-click menu off an end-system entry in the table. |
|---|
- Force Reauthentication
- Forces the selected end-system to re-authenticate. End-systems authenticated to a VPN device are disconnected from the VPN.
- Force Reauth and Scan
- Forces the selected end-system to re-authenticate and undergo an assessment (scan). (End-systems authenticated to a VPN device are disconnected from the VPN.) The assessment only takes place if scanning is enabled in the ExtremeControl profile assigned to the end-system.
- Add to Group
- Lets you add the selected end-system to a specific end-system or user group. If the end-system is a registered device, it can be added to a registration group. After adding an end-system to a group, any rules created that involved that group apply to the end-system as well. Changes to end-system group membership do not require an enforce and are synchronized with engines immediately. Changes do not affect the end-system until the next authentication or assessment occurs.
-
NOTE: Entries in the Blacklist are not moved or removed using this function. You must manually remove entries from the Blacklist End-System group.
- Lock MAC
- Opens the Add MAC Lock window where you can lock the MAC address of the selected end-system to a switch or switch and port.
- Show Details
- Opens the End-System Details tab where you can view summary information for the end-system selected in the table.
- Delete
- Deletes the selected end-system entries from the table and also deletes the associated end-system events. You are given the option to delete any custom
information, group assignment, MAC locks, and registration and web
authentication associated with the end-systems.
The Force Delete of End-System option completely deletes the end-system from ExtremeCloud IQ Site Engine, regardless of whether the end-system reauthentication is successful when the delete is executed. The option is deselected by default. When deselected, it prevents possible synchronization conditions where the authentication session remains active on the switch even though the end-system has been deleted from ExtremeCloud IQ Site Engine. These conditions can occur when there are underlying issues that prevent the end-system reauthentication from completing properly.
| NOTES: | The Delete operation does not remove an end-system from the blocked list group. Blocked list is a special group that requires end-systems to be manually removed using the Edit End-System Group window. Deleting an end-system from the table also deletes the user's current authentication. If the user is connected to the network at the time of the delete, they are forced to re-authenticate. |
Menu Buttons
The menu at the top of the window contains most of the options available via a right-click previously mentioned in the Actions section above, as well as the End-System Events button, described below.
- All End-System Events
- Opens the End-System Events tab where you can view information about events for all end-systems accessing your network.
End-System Events Tab
This tab displays historical connection information for all end-systems accessing your network. End-system events are stored daily in the database. In addition, the end-system event cache stores in memory the most recent end-system events and displays them here in this tab. This cache allows ExtremeCloud IQ Site Engine to quickly retrieve and display end-system events without having to search through the database. You can configure parameters for the event cache (such as the number of events to display) using the End-System Event Cache options in the ExtremeControl Options view (Administration > Options > ExtremeControl > End-Systems Event Cache).
| NOTE: | The End-System Events tab displays events up to the most recent delete event for the end-system, if one exists. If you want to see events that happened prior to the most recent delete event, use the Search for Older Events button. |
- State
- The end-system's connection state:
- Scan — The end-system was scanned.
- Accept — The end-system was granted access with either the Accept policy or the attributes returned from the RADIUS server.
- Quarantine —The end-system was quarantined because the assessment failed.
- Reject — The end-system was rejected because the assigned ExtremeControl profile was set to Reject, the MAC Locking test failed, or the RADIUS server was reachable but rejected the authentication request.
- Disconnected — This end-system session was disconnected, however other sessions for the end-system may still be active. For example, the end-system may have a disconnected session with an authentication type of 802.1X, but still have an active MAC authentication session. This state is only applicable for end-systems connected to switches that have RADIUS accounting enabled.
- Error — Indicates one of nine problems:
- the MAC to IP resolution failed
- the MAC to IP resolution timed out
- all RADIUS servers are unreachable
- the RADIUS request was non-compliant
- all assessment servers are unavailable
- the assessment server can't reach the end-system
- no assessment servers are configured
- the assessment server is not compatible with the current version of ExtremeCloud IQ Site Engine
- the username and password configured in the Assessment Server panel of the ExtremeControl options (Administration > Options > ExtremeControl > Assessment Server) are incorrect for the assessment server
- ExtremeControl Engine/Source IP
- The IP address of the ExtremeControl engine on which the event occurred.
- Profile
- The name of the ExtremeControl profile assigned to the end-system when it connected to the network.
- MAC Address
- The MAC address of the end-system on which the event occurred. MAC addresses can be displayed as a full MAC address or with a MAC OUI (Organizational Unique Identifier) prefix.
- State Description
- This column provides more details about the end-system state. For example, if the end-system's connection state is Reject, this column might list the RADIUS server (primary or secondary) that rejected the authentication request.
- Reason
- Provides additional information about the reasons why the end-system is in its particular connection state. It provides information as to the reason a policy is applied to the end-system or the reason the end-system is rejected.
- Authorization
- The attributes returned by the RADIUS server. If the end-system is connected to a switch that supports multi-authentication, then this column may not reflect the actual active policy for the authenticated user. For Layer 3 ExtremeControl Controller engines, this column displays the policy assigned to the end-system for its authorization.
- Auth Type
- Identifies the authentication method used by the end-system to connect to the network. For Layer 3 ExtremeControl Controller engines, this column shows IP.
- Switch IP
- The IP address of the switch to which the end-system connected. If the end-system is connected to an ExtremeControl Controller engine, this is the ExtremeControl Controller PEP (Policy Enforcement Point) IP address.
- Switch Port
- The switch port number to which the end-system is connected. If the end-system is connected to a Layer 2 ExtremeControl Controller engine, this is the ExtremeControl Controller PEP (Policy Enforcement Point) port. However, for Layer 3 ExtremeControl Controller engines this column is blank.
- Switch Location
- The physical location of the switch to which the end-system is connected. If the end-system is connected to an ExtremeControl Controller engine, this is the ExtremeControl Controller PEP (Policy Enforcement Point) location.
- Last Scan Time
- Displays the last time ExtremeCloud IQ Site Engine scanned the end-system on which the event occurred.
- Zone
- Displays the end-system zone to which the end-system is assigned. For additional information, see End-System Zones.
- Event Source
- Displays the origin of the end-system in the network:
-
- Access Control engine — An Access Control engine.
- Wireless Manager — An ExtremeWireless Controller or AP.
- ExtremeXOS/Switch Engine ID Manager — An Extreme switch running ExtremeXOS/Switch Engine with the Identify Manager feature configured to send events to ExtremeCloud IQ Site Engine.
- OneFabric Connect — An ExtremeConnect module (e.g. Solutions Architecture and Innovation (SAI) integration)
- One Controller — The Extreme SDN Controller.
- Engine Group
- This column is only displayed if you have multiple engine groups. It displays what engine group the ExtremeControl engine is in when the end-system event was generated. For example, if the engine began in Engine Group A when an end-system connected, then the engine is moved to Engine Group B, this column still lists Engine Group A for that end-system's entry.
- Search for Older Events
- This button lets you search for older events stored in the database
outside of the end-system events cache. The maximum search parameters
for this extended search are configured in the
End-System Event Cache options
in the ExtremeControl Options view (Administration > Options > ExtremeControl > End-System Event Cache). The search is ended when any one of the parameters is
reached.
- Maximum number of results to return from search
- Maximum time to spend searching for events (in seconds)
- Maximum number of days to go back when searching
For information on related help topics:
For information on related topics: