Access Control Daily Persistence Check

If an End System was not active for the amount (or greater) of days that is defined within the ‘Age ‘End-Systems older than’ variable, the end system is removed from the NAC.

The default value is 90 days.   For example, if an end system is not active for >90 days, using this default setting and the default ‘Remote Associated Registration Data’ is checked, the End system is removed completely from the NAC.

Daily Persistence

Access Control End-Systems Filtering

The End-Systems table can be filtered to help manage access control.

Filter the State column to show the Rejected devices or Disconnected devices. And then filter again on the Last Seen column to filter by date (before or after) which could be useful to do when purging old entries. The list can be filtered based on Authentication Type ie MAC.


If you want to trigger an email based on a specific event go to Control>Access Control>Configuration>Notifications. You can add a new condition that will generate an email to a helpdesk for example.

Notifications can send an email if triggered, or execute a workflow, syslog event or script.

Adding additional RADIUS Attributes in Control

Cannot edit the default RADIUS attributes in Control but can copy to another name and edit the copy. This is useful when you want to add additional attributes to send to the switch, for example, when need to allow Management CLI login for administration purposes.

The attributes needed by the switches may vary but you can refer to custom values within the policy mappings. For example, ERS BOSS switches use the Service Type attribute to send the value 6 (RWA) which can be set in a custom field ie %CUSTOM1% or under Management and select Access [User Defined] Management Service Type.

Workflows and Email

Import Workflows from Extreme Networks github site and can send email reports with some of them.

For example, there is a Workflow which provides a report via email of the Pilot and Navigator licenses for all devices in XIQ-SE.

There is a Workflow which can login to ERS switches and capture the serial number and email a CSV file.

You need to configure an SMTP email server and edit the configuration file with some mail properties and then restart Netsight.



I used Google’s SMTP Proxy to email to outside email addresses ( I had to turn on “Allow Less Secure Apps” which is not ideal and might be disabled by Google soon.

Configure SMTP Server and login account under Administration>Options>SMTP Email.

Unmanaged Devices in XIQ-SE

If the checkbox Poll Status Only is selected when add a new device to Network>World>Devices this will make it unmanaged and will not be visible in XIQ and it will also not consume a pilot license. The information available for the device will be minimal and not as complete if the device has Poll Type SNMP.

Unmanaged devices cannot be added to Access-Control.

The device would have to be deleted from the database and re-added leaving the checkbox Poll Status Only unchecked.

The device should use an SNMP Profile which matches the switch and once added it will appear under devices and onboard to XIQ via XIQ-SE. The device will consume one pilot license. Device View will show more information such as Port status. The switch can be added to Access-Control because it is now Managed.