Access Control Daily Persistence Check

If an End System was not active for the amount (or greater) of days that is defined within the ‘Age ‘End-Systems older than’ variable, the end system is removed from the NAC.

The default value is 90 days.   For example, if an end system is not active for >90 days, using this default setting and the default ‘Remote Associated Registration Data’ is checked, the End system is removed completely from the NAC.

Daily Persistence

Access Control End-Systems Filtering

The End-Systems table can be filtered to help manage access control.

Filter the State column to show the Rejected devices or Disconnected devices. And then filter again on the Last Seen column to filter by date (before or after) which could be useful to do when purging old entries. The list can be filtered based on Authentication Type ie MAC.


If you want to trigger an email based on a specific event go to Control>Access Control>Configuration>Notifications. You can add a new condition that will generate an email to a helpdesk for example.

Notifications can send an email if triggered, or execute a workflow, syslog event or script.

Adding additional RADIUS Attributes in Control

Cannot edit the default RADIUS attributes in Control but can copy to another name and edit the copy. This is useful when you want to add additional attributes to send to the switch, for example, when need to allow Management CLI login for administration purposes.

The attributes needed by the switches may vary but you can refer to custom values within the policy mappings. For example, ERS BOSS switches use the Service Type attribute to send the value 6 (RWA) which can be set in a custom field ie %CUSTOM1% or under Management and select Access [User Defined] Management Service Type.

Workflows and Email

Import Workflows from Extreme Networks github site and can send email reports with some of them.

For example, there is a Workflow which provides a report via email of the Pilot and Navigator licenses for all devices in XIQ-SE.

There is a Workflow which can login to ERS switches and capture the serial number and email a CSV file.

You need to configure an SMTP email server and edit the configuration file with some mail properties and then restart Netsight.



I used Google’s SMTP Proxy to email to outside email addresses ( I had to turn on “Allow Less Secure Apps” which is not ideal and might be disabled by Google soon.

Configure SMTP Server and login account under Administration>Options>SMTP Email.

Unmanaged Devices in XIQ-SE

If the checkbox Poll Status Only is selected when add a new device to Network>World>Devices this will make it unmanaged and will not be visible in XIQ and it will also not consume a pilot license. The information available for the device will be minimal and not as complete if the device has Poll Type SNMP.

Unmanaged devices cannot be added to Access-Control.

The device would have to be deleted from the database and re-added leaving the checkbox Poll Status Only unchecked.

The device should use an SNMP Profile which matches the switch and once added it will appear under devices and onboard to XIQ via XIQ-SE. The device will consume one pilot license. Device View will show more information such as Port status. The switch can be added to Access-Control because it is now Managed.

XIQ-SE and NAC Upgrade


Upgrading ExtremeCloud IQ – Site Engine Engine Software
Upgrades to the ExtremeCloud IQ – Site Engine engine software are available on
the ExtremeCloud IQ – Site Engine web page.
Prior to performing an upgrade, you can create a snapshot of the engine that
you can revert to in the event an upgrade fails. Refer to the vSphere client
documentation for instructions on creating a snapshot.
1. On a system with an internet connection, go to the ExtremeCloud IQ – Site Engine
web page:
2. Enter your email address and password.
You will be on the ExtremeCloud IQ – Site Engine page.
3. Click on the Software tab and select a version of ExtremeCloud IQ – Site Engine.
4. Download the ExtremeCloud IQ – Site Engine virtual engine image from the
ExtremeCloud IQ – Site Engine Virtual Appliance (engine) section.
5. Use FTP, SCP, or a shared mount point, to copy the file to the ExtremeCloud IQ – Site
Engine virtual engine.
6. SSH to the engine.
7. Cd to the directory where you downloaded the upgrade file.
8. Change the permissions on the upgrade file by entering the following command:
chmod + x ./ExtremeCloudIQSiteEngine_<version>_64bit_
9. Run the install program by entering the following command:
The upgrade automatically begins.
The ExtremeCloud IQ – Site Engine Server are restarted automatically when the
upgrade is complete. Because your ExtremeCloud IQ – Site Engine engine
settings were migrated, you are not required to perform any configuration on
the engine following the upgrade.


After upgrade verify that NAC Joins the Active Directory Domain.

cd /var/log

cat tag.log | grep “Joined”

Enforce after upgrading.

Check date and time and if necessary reset with /usr/postinstall/dateconfig command.

Upgrading XIQ-SE took about ten minutes to complete and further five minutes before I could login again.

Upgrading NAC took approximately ten minutes but allow for thirty minutes.

Recommended to take a snapshot of your VMs before upgrading.  Also, backup the XIQ-SE database to be super safe.