End-Systems Tab

The End-Systems tab on the Control tab in ExtremeCloud IQ Site Engine displays detailed information about the end-systems in your network. Use the End-Systems tab to review configuration and authentication information, as well as to view any events involving your end-systems, and to review the health of devices using your network.

The tab is divided into two sections:

End-Systems Data Table
End-System Events and Health Results Table

End-System Data Table

Select an end-system in the table to activate several tabs at the top of the page that provide access to more details about your end-systems. There are also several buttons at the bottom of the table that you can use to perform other table functions.

NOTE:

The following End-System table columns cannot be sorted: MAC OUI vendor, Switch Nickname, Switch Location.

Add to Group: Allows you to add the selected end-system to a new or additional end-system group. You can also opt to remove the end-system from its current group assignments and update registration.

Force Reauthentication: Forces the selected end-system to reauthenticate. End-systems authenticated to a VPN device are disconnected from the VPN.

Tools

Provides access to several tools and functionality you can use to access more details about your end-system data:

Show Details - Select to open the End-Systems Details page for the selected end-system.
Add to Group - Select to add the end-systems to a new or additional end-system group.
Edit Custom Information - Select to edit custom data fields for the selected end-system. Select OK to save your edits.
Lock MAC - Select to lock the MAC address for the selected end-system to the switch and port.
Delete - Select to delete the selected end-system from the table.

Ping End-System - Select to open a window where you can ping a selected end-system to determine if it can be contacted. The following fields are displayed:

Name - The hostname of the end-system
IP Address - The IPv4 address for the end-system
Result - The output string which indicates whether the end-system is reachable.

Select Ok to close the window. Select another end-system and the Ping End-System tool option to ping that end-system.

NOTE:

You can select one end-system at a time to ping. If you select multiple end-systems and then select Ping, the Ping option is not available. The Ping option is also not available if no end-systems are displayed in the table.

PortView - Select to open the PortView details page.
Search Maps - Select to search for the selected end-system in all of your maps.
Guest Access and Registration - Select to launch the Guest Registration Administration page for the engine you choose.
Device Type Detection and Profiling Information - Select to open the Device Type Detection and Profiling page.
Export End-Systems to CSV - Select to open the Export End-System Data window, through which you can export the end-system data to a CSV file.
Configuration Evaluation Tool - Select to launch the Configuration Evaluation Tool, which will evaluate the end-system's authorization and authentication details.
Reload End-System Cache(s) - Select to refresh end-system cache data.
Clean Up Data - Select to remove end-systems via the Clean Up Data window.

Table Status

Provides status updates in the table for the end-systems in your network.

Note:

The End-Systems table is sorted by the Last Seen Time by default. Sorting using any other column will automatically pause the table to allow sorting on those columns (except the OUI Vendor and Switch Nickname columns - these columns cannot be sorted). Reverting to a Live view will revert back to the "Last Seen Time" sort, in descending order.

There are three options:

Live - In this view, end-systems in the table update, and any new end-systems will display. You must sort the table by the Last Seen Time column, in descending order.
Live Current Page - In this view, end-systems update but new end-systems do not appear automatically in the table. Also, end-systems will not automatically sort in this mode as their data changes.
Paused - This view is a snapshot of current end-system data. End-system data does not update in the table. Select the Refresh button () to update the data in the table.

All End-System Events

Opens the End-System Events tab, where you can view information about events for all end-systems accessing your network.

NOTE:

The following End-System Events table columns cannot be sorted: Switch Nickname, Switch Location.

Filter

The Filter functions are activated if a filter is applied to a column (or if you select the Devices button to sort the devices in the table by Device Family).

Note:

The End-Systems Table can be filtered for negative values. To filter a column in the End-systems Table for a negative value, select the down arrow in the column heading to open the filter drop-down list. Select Filters and add the word or value for which you want to filter and add an exclamation point symbol (!) at the start of the search word.

For example, if you are searching for all the rows in the in the Device Family column that do not contain a "Windows" string, enter "!Windows" in the search value field. See the image below:

You can also filter for negative values by selecting the column header and then selecting the Filter button. Enter the word or value for which you want to filter the data and select the Does not match value check box. See the image below:

Devices: Allows you to sort the devices by Device Family. Select the Device Family or Families (or select All) from the drop-down menu.

Search: The search tool enables you to search for full or partial matches on fields in the table.

Double-click any end-system in the End-Systems Data Table to open the End-System Details tab. The End-Systems Data Table includes the following columns:

State

The end-system's connection state:

Scan — The end-system is currently being scanned.
Accept — The end-system is granted access with either the Accept policy or the attributes returned from the RADIUS server.
Quarantine — The end-system is quarantined because the assessment failed.
Reject — The end-system was rejected because the assigned ExtremeControl profile was set to Reject, the MAC Locking test failed, or the RADIUS server was reachable but rejected the authentication request.
Disconnected — All sessions for the end-system are disconnected. This state is only applicable for end-systems connected to switches that have RADIUS accounting enabled.
Error — Indicates one of nine problems:
- the MAC to IP resolution failed, if assessment is enabled
- the MAC to IP resolution timed out, if assessment is enabled
- all RADIUS servers are unreachable
- the RADIUS request was non-compliant
- all assessment servers are unavailable
- the assessment server can't reach the end-system
- no assessment servers are configured
- the assessment server is not compatible with the current version of ExtremeControl
- the username and password configured in the Assessment Server panel of the ExtremeControl options (Administration > Options > ExtremeControl > Assessment Server) are incorrect for the assessment server.

ID: The device identification number in ExtremeCloud IQ Site Engine.

Last Seen

The last time the end-system was seen by the ExtremeControl engine.

Note:

IP Address: The end-system's IPv4 address.

IPv6 Address: The end-system's IPv6 address or addresses.

OV MAC Address: The end-system's OV MAC key.

MAC Address: The end-system's MAC address. MAC addresses can be displayed as a full MAC address or with a MAC OUI (Organizational Unique Identifier) prefix. If the MAC address of the end system belongs to an administratively assigned range (randomized MAC), then the MAC is displayed in italic font.

MAC OUI Vendor: The vendor associated with the OUI of the end-system's MAC address.

Host Name: The end-system's hostname.

Device Family: The hardware family or the operating system family for the end-system.

Device Type: The hardware type or the operating system type for the end-system.

User Name: The user name used to connect the end-system to the network.

Site: The site of the switch to which the end-system is connected.

Switch IP: The IP address of the switch to which the end-system is connected..

Switch Nickname

An alternate name for the switch.

NOTE:

Configure the nickname on the Device Annotation tab in the Configure Device window.

Switch Port: The port alias (if defined) followed by the switch port number to which the end-system is connected.
If you add or update the port alias on the switch, you must enforce the ExtremeControl engine in order for the new information to be displayed in the End-Systems table. In addition, the port information is updated internally in Access control every 15 minutes. Therefore, if new port information is added to the device—for example , a WLAN is added for a wireless controller—the new port information displays within 15 minutes.

Policy: The name of the ExtremeControl policy role assigned to the end-system when it connected to the network.

Authorization: The attributes returned by the RADIUS server for this end-system. If the end-system is connected to a switch that supports multi-authentication, then this column may not reflect the actual active policy for the authenticated user. For Layer 3 ExtremeControl Controller engines, this column displays the policy assigned to the end-system for its authorization.

Risk

The overall risk level assigned to the end-system based on the health result of the scan:

Red — High Risk
Orange — Medium Risk
Yellow — Low Risk
Green — No Risk
Gray — Unknown

Profile: The name of the ExtremeControl profile assigned to the end-system when it connected to the network.

Reason: Provides information about the reason the ExtremeControl profile is assigned to the end-system.

Authentication Type: Identifies the latest authentication method used by the end-system to connect to the network. (For Layer 3 ExtremeControl Controller engines, this column displays "IP.")

State Description: This column provides more details about the end-system state. For example, if the end-system's connection state is Reject, this column might list the RADIUS server (primary or secondary) that rejected the authentication request.

Extended State: Provides the reasons why the end-system is in its particular connection state. It gives you an idea as to why a certain policy was applied to the end-system or why the end-system was rejected.

Access Control Engine / Source IP: The ExtremeControl engine to which the end-system is connecting.

Engine Group: Displays what engine group the ExtremeControl engine was in when the end-system event was generated. For example, if the engine was in Engine Group A when an end-system connected, but then later the engine was moved to Engine Group B, this column would still list Engine Group A for that end-system's entry. If an engine was only in one engine group, this column displays "Default."

RFC3580 VLAN: For end-systems connected to RFC 3580-enabled switches, this is the RFC3580 VLAN ID assigned to the end-system.

Warning Time: Shows the time for warning. This column is hidden by default.

Last Quarantined: The last time the end-system was quarantined.

Score: The total sum of the scores for all the health details that were included as part of the quarantine decision.

Top Score: The highest score received for a health detail in the health result.

Actual Score: The actual score is what the total score would be if all the health details including those marked Informational and Warning were included in the score.

Switch Port Index: The SNMP index (ifIndex) of the port to which the end-system connected.

Switch Location: The physical location of the switch to which the end-system connected. If the end-system is connected to an ExtremeControl Controller engine, this is the ExtremeControl Controller PEP (Policy Enforcement Point) location.

ELIN: An extended set of data for an end-system based on a MAC address.

Port Info Raw: Displays unformatted information as it is received from the port.

All Authentication Types: This column displays all the authentication methods the end-system has used to authenticate. The authentication types are listed in order of precedence from highest to lowest: Switch Quarantine, 802.1X, CHAP, PAP, Kerberos, MAC, CEP, RADIUS Snooping, Auto Tracking. View details about each authentication session (such as the ExtremeControl profile that was assigned to the end-system for each authentication type) in the End-System Events tab.

Last Scan Result: The last scan result assigned to the end-system: Scan, Accept, Quarantine, Reject, Error. This is the state assigned to the end-system as a result of the last completed scan. This typically matches the end-system State if scanning is currently enabled and has been performed recently.

Last Scanned: The last time an assessment (scan) was performed on the end-system.

First Seen: The first time the end-system was seen by the ExtremeControlengine.

NAP Capable: Indicates whether the end-system is Microsoft NAP (Network Access Protection) capable: Yes or No

Custom

Use this column to add additional information about the end-system. To add or edit custom information, right-click on the table and select Edit Custom Information. You can add information for up to four Custom columns. The columns for Custom 2, Custom 3, and Custom 4 are hidden by default. To display these columns, select the down arrow to the right of the table header and select Columns > Column 2, Column 3, or Column 4.

NOTE:

Change the name of the Custom columns in the ExtremeControl options.

Registered User: The registered username supplied by the end-user during the registration process.

Registered Email: The registered email address supplied by the end-user during the registration process.

Registered Phone: The registered phone number supplied by the end-user during the registration process.

Sponsor: The registered user's sponsor, if sponsorship is enabled.

Registration 1-5: Custom information supplied by the end-user during the registration process.

Registration Description: The device description supplied by the end user during the registration process.

Groups: Displays any end-system and/or user groups to which the end-system belongs.

Group 1-3: Displays the names of up to three end-system and/or user groups to which the end-system belongs.

Zone: Displays the end-system zone to which the end-system is assigned.

Request Attributes: Indicates if RADIUS attributes are requested.

Registration Type: Shows the type of end-system connection (for example, Transient).

RADIUS Server IP: The IP address of the RADIUS server to which the end-system authenticated.

Source

Displays the origin of the end-system in the network:

ExtremeControl engine — An ExtremeControlengine.
Wireless Manager — An ExtremeWireless Controller or AP.
ExtremeXOS/Switch Engine ID Manager — An Extreme switch running ExtremeXOS/Switch Engine with the Identify Manager feature configured to send events to ExtremeCloud IQ Site Engine.
OneFabric Connect — An ExtremeConnect module (e.g. Solutions Architecture and Innovation (SAI) integration)
One Controller — The Extreme SDN Controller.

DCM: Data Center Manager. This column is hidden by default.

Certificate Expiration: Expiration date of the certificate issued for 802.1x authentication.

Certificate Issuer: Name of the issuer of the certificate issued for 802.1x authentication.

Certificate Fingerprint: The attributes in an SSL handshake used for identifying the end-system.

Certificate URI: The URL portion of the Subject Alternative Name when 802.1X EAP-TLS is used. This field is hidden by default.

Buttons

The following buttons and functions are included at the bottom of the End-Systems Data Table:

Paging Toolbar: The paging toolbar provides four buttons that let you easily page through the table: first, previous, next, and last page.

Refresh: Use the refresh button to update the data in the table.

Reset: The reset button clears the search field and search results, clears all filters, and refreshes the table.

Bookmark: Use the Bookmark button to save the search, sort, and filtering options you have currently set.

End-System Events and Health Results Table

Select an end-system in the End-System Data Table to display data in the End-System Events and Health Results Table.

The table contains two tabs:

Events - Displays detailed information about any events in which the selected end-system was involved.
Health - Displays detailed information about the health of the selected end-system.

Double-click any end-system in the table to open the End-System Details tab.

Related Information

For information on related help topics:

Control Tab