User's Guide
Table Of Contents
- Table of Contents
- Preface
- Welcome to Extreme Campus Controller
- Dashboard
- Monitor
- Sites List
- Device List
- Access Points List
- Smart RF Widgets
- Switches List
- Networks List
- Clients
- Policy
- Configure
- Network Configuration Steps
- Sites
- Add a Site
- Modifying Site Configuration
- Site Location
- Adding Device Groups to a Site
- Add or Edit a Configuration Profile
- Associated Profiles
- Associated Networks
- Mesh Point Profile Configuration
- Configure Client Bridge
- Understand Radio Mode
- Radio as a Sensor
- Advanced AP Radio Settings
- VLAN Profile Settings
- AirDefense Profile Settings
- ExtremeLocation Profile Settings
- IoT Profile Settings
- Positioning Profile Settings
- Analytics Profile Settings
- RTLS Settings
- Advanced Configuration Profile Settings
- Configuring RF Management
- Configuring a Floor Plan
- Advanced Tab
- Devices
- Networks
- Policy
- Automatic Adoption
- ExtremeGuest Integration
- AAA RADIUS Authentication
- Onboard
- Onboard AAA Authentication
- Manage Captive Portal
- Manage Access Control Groups
- Access Control Rules
- Tools
- Administration
- System Configuration
- Manage Administrator Accounts
- Extreme Campus Controller Applications
- Product License
- Glossary
- Index
Table 25: Preconfigured Policy Roles (continued)
Role Description
Assessing The Assessment access policy temporarily allocates a set of
network resources to end-systems while they are being
assessed. Typically, the Assessment access policy allows access
to basic network services (e.g. ARP, DHCP, and DNS), permits
all IP communication to the Assessment servers so the
assessment can be successfully completed, and HTTP to
redirect web trac for Assisted Remediation.
For RFC 3580-compliant switches, the Assessment access
policy may be mapped to the Quarantine VLAN. It is not
mandatory to assign the Assessment policy to a connecting
end-system while it is being assessed. The policy role received
from the RADIUS server or an accept policy can be applied to
the end-system, allowing the end-system immediate network
access while the end-system assessment is occurring in the
background. In this case, the policy role or accept policy (or the
associated VLAN for RFC 3580-compliant switches) must be
configured to allow access to the appropriate network
resources for communication with the Assessment servers.
Note: The Assessment server sends an ICMP Echo Request (a
"ping") to the end-system before the server begins to test IP
connectivity to the end-system. Therefore, the Assessment
policy role, the router ACLs, and the end-system's personal
firewall must allow this type of communication between end-
systems and Assessment servers in order for the assessment to
take place. If the Assessment server cannot verify IP
connectivity, the Failsafe policy is assigned to the end-system.
Failsafe The Failsafe access policy is applied to an end-system when it is
in an Error connection state. An Error state results if the end-
system's IP address could not be determined from its MAC
address, or if there was an assessment error and an assessment
of the end-system could not take place. For RFC 3580-
compliant switches, the Failsafe access policy may be mapped
to the Production VLAN.
Pass Through External RADIUS Use this policy when the AAA mode is RADIUS (using an
external RADIUS server). When this policy is selected, end-
systems that match the rule get the RADIUS attributes from the
upstream server's ACCEPT response, including Filter-Id.
Use Default Auth Role Use the Default Auth Role that is configured for the wireless
network that the end-system is connected to.
Related Topics
Add Policy Roles on page 260
Role Widgets
Widgets for an individual role policy show the following information:
• Top applications (by throughput) per role
• Top applications (by throughput) by concurrent users per role
Monitor
Roles List
Extreme Campus Controller User Guide for version 5.46.03 113