Working on setting up a 5050 with user-id mapping against 2 domain controllers. the agent-less, WMI based setup is working fine thus far, except I cant figure out how to exclude certain IP ranges.
For instance. We have a VPN appliance that does Kerberos authentication to the AD Domain. Everytime a user logs in, it associates the IP of the device requesting authentication as a user-id map. Id like to just exclude that device from ever being learned. Along with the domain controllers and some other servers themselves.
I have tried a few different include/excludes on all the zones with UID turned on, but it doesnt seem to stop those IPs from being learned.
Solved! Go to Solution.
I tried that. But that makes it so the mapping isnt learned from the AD servers themselves.
Example. AD Servers at 10.0.0.1/16 and 10.0.0.2/16. I dont want to learn who is logged onto the AD servers, or any other server in the 10.0.0.0/16 subnet. Only clients in another subnet. I put exclude 10.0.0.0/16 in that list and then NOTHING gets learned except the IPs from RADIUS accounting. Just seems like it is malfunctioning somehow.
EDIT: IIRC, that made it so it wouldnt discover the AD servers themselves. Because the servers in the box above disappeared shortly afterwards.
EDIT2: To clarify. If I have 10.0.0.0/16 and AD servers 10.0.0.1/10.0.0.2 and other misc servers or appliances at 10.0.0.20-25. I do not want a username to ever be associated with IPs 10.0.0.1, 10.0.0.2, 10.0.0.20-25.
I just did it. The same thing happened. All the IPs learned from the AD servers in the excluded range went away. Im not completely clear on what enabled and discovery are for. They seem to have differing functions.
If you have 10.0.0.0/16 as part of the exclude network, any ip in this range will not have an associated ip-user mapping. Anything not part of this, say 192.168.0.0/16 that are learned from your server should have a mapping.
Discovery - is to define the include or exclude list
Enable option lets you enable the above option (include/exclude). If you do not have this checked, the include/exclude list will not take effect.
Im going to leave it overnight. I think, maybe, Im just impatient... LOL.
That, and I had to put a final allow line at the bottom...
Have you tried adding the single IP addresses with /32 subnet? So...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!