Deployment Guide

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesWired and wireless orchestration for campus and IoT networks

101

102

103

104

105

106

107

108

109

110

Table Of Contents

Table of Contents
Preface
- Conventions
  - Text Conventions
- Documentation and Training
- Send Feedback
- Help and Support
- AP Regulatory Information
About Extreme Campus Controller Deployment
- Deploying Extreme Campus Controller
- VE6120K, VE6125K Virtual Appliances
- VE6120H Virtual Appliance
- VE6120 Virtual Appliance
- VE6125 Virtual Appliance
- Supported Appliance Specifications
- Discovery and Registration
  - Discovery Process for APs and Adapters in a Centralized Site
    - Discovering Centralized Site APs and Adapters
  - Switch Discovery Process
    - Discovering Switches
    - Switch Discovery in an Availability Pair
- Sites
- Device Groups
Configuring DHCP, NPS, and DNS Services
- DHCP Service Configuration
  - Configuring DHCP on Windows Server 2012 R2
  - Configuring DHCP on a Red Hat Linux Server
    - Configuring DHCP Option 43 on a Linux Server
- Configuring the Extreme Campus Controller as an NPS Client
- NPS Service Configuration
  - Add a New Network Policy
    - Create Condition: Client IPv4 Addresses
    - Create Condition: Windows Groups
- DNS Service Configuration
  - Configuring DNS for Wireless AP Discovery
  - Configuring DNS on a Linux Server
- Configure Extreme Campus Controller for Local DHCP Management
  - Add a Physical Interface
  - Local DHCP Settings
Centralized Site with a Captive Portal
- Deployment Strategy
- Adding a Centralized Site with Device Group
- Configuring an Internal Captive Portal
- Specifying B@AC Network Topology
- Configuring a Captive Portal Network
- Working with Internal Captive Portal Engine Rules
- Editing Device Group Profile for Network and Role
- Creating Adoption Rules
Centralized Site with AAA Network
- Deployment Strategy
- Configuring a AAA Network
- Creating an Engine Rule
- Creating a Policy Role
- Applying a AAA Network and Role to the Device Group
Deploying a Mesh Network
- Deployment Strategy
- Mesh Point Network Settings
- Configure Device Groups for Mesh Point
- Advanced Configuration Profile and Mesh Device Settings
  - Profile Advanced Settings
  - Edit Mesh Device Settings
Configuring an External NAC Server for MBA and AAA Authentication
- Deployment Strategy
- Configuring the External NAC Server
- Network with Default Auth Role
  - Configuring an MBA Network
  - Configuring a AAA Network
- Network with Pass-Through External RADIUS
  - Configuring an MBA Network
  - Configuring a AAA Network
Manage RADIUS Servers for User Authentication
- RADIUS Settings
- Advanced RADIUS Settings
- Configure a Pass Through Rule
External Captive Portal on a Third-Party Server
- Firewall Friendly External Captive Portal Flow of Events
  - FF-ECP on Extreme Campus Controller
- Configure the Firewall
- Configure an External Captive Portal
- Understand Processing Performed by the ECP
  - The Redirection URL Sent from Extreme Campus Controller
    - Verifying the Signed Request
  - Compose the Login or Splash Screen Page
- Approve the Client
- Compose the Redirection Response Sending the Browser back to the Appliance
Access Control Rule Admin Portal Access
- Deployment Strategy
- Configure Access Control Group
  - Default Access Control Groups
- Configure Admin Access Policy Role
- Configure Access Control Rule
  - Default Access Control Rules
- Define Rule Precedence
Deploying Centralized Web Authentication
- Deployment Strategy
- CWA with ISE Deployment
- CWA with ExtremeControl Deployment
Deploying ExtremeCloud IQ - SE as an External Captive Portal
- Deployment Strategy
- Configuring an External Captive Portal Network
- Editing the Configuration Profile for Network and Roles
- Extreme Campus Controller Default Pass-Through Rule
- Adding Extreme Campus Controller as a Switch to ExtremeCloud IQ - Site Engine
- Editing the Unregistered Policy on ExtremeCloud IQ - Site Engine
- Editing the ExtremeCloud IQ - Site Engine Profile for Policy and Location-Based Services
Deploying an ExtremeGuest Captive Portal
- Deployment Strategy
- Configure an ExtremeGuest Server
- Configure an ExtremeGuest Captive Portal Network
- Configuration Settings on ExtremeGuest
Deploying Client Bridge
- Deployment Strategy
- AP Client Bridge
- Configure Client Bridge
Deploying an Availability Pair
- Deploying an Availability Pair
Deploying Universal APs
- Onboarding Universal APs — ExtremeCloud IQ, Extreme Campus Controller
Extreme Campus Controller Pair with ExtremeLocation and AirDefense
- Scenario Outline
- Deployment Strategy
- Configuring the Centralized Site with an AP3915 Profile
- Configuring ExtremeLocation
- Configuring AirDefense
ECP Local Authentication
- Scenario Outline
- Deployment Strategy
- Configuring External Captive Portal Network
- Editing the Device Group Profile for ECP Network
PHP External Captive Portal, Controller’s Firewall Friendly API
- net-auth.php
- login.php
- common_utilities.php
- crypt_aws_s4.php
- ffecp-config.php
Index
- A
- B
- C
- D
- E
- F
- L
- M
- N
- P
- R
- S
- T
- U
- W
- X

3. “Region String” is the region component of the Scope string.

4. “Service String” is the service component of the Scope string.

5. “Constant-String-To-Sign” is the string “aws4_request”.

And each of the “Create…” actions consists of generating a secure HMAC using SHA256 from the inputs.

The output secure hash is in binary format (not encoded as a hex character string). The output of each

step acts as the signing key for the subsequent step. The signing key for the ﬁrst step is the shared

secret, pre-pended with the literal ‘AWS4’.

Note that for any given identity the correct signing key only needs to be computed once per day. If the

calculations are cached the cache should include an entry for the previous day to cope with the request

being sent just before midnight UTC. The previous day’s key only needs to be kept for a small

overlapping period (perhaps 10 minutes at the most).

Creating the Signature and Verifying the Request

At this point the signature for the request is computed as a secure HMAC using SHA256. The signing

key is created as described in Creating the Signing Key and the string to sign is created as described in

Building the String to Sign on page 101.

Verifying the signature in the request consists of standard string comparison between the transmitted

and computed keys. If they aren’t identical the request is invalid. The client can be sent a web page

containing a generic reject message or the request can be discarded silently.

Compose the Login or Splash Screen Page

How you create the login page depends on the programming language and toolset you use. This is

largely outside the scope of this document. You can use any programming language that can be used

for web development to create an external captive portal.

The content on the login page depends on the overall environment the ECP serves. It can contain as

little as terms and conditions and a button to indicate acceptance, or it can contain ﬁelds necessary to

submit a user ID and password.

The redirected request contains the attributes conﬁgured on the ECP conﬁguration dialog. Attributes

can be used to decorate the login page, and other information can be input to the authentication

process. For example, a user may be considered authenticated only after logging in from one of a

speciﬁc set of APs.

Approve the Client

Typically, users submit credentials for authentication into an ECP. The credentials are submitted in an

HTTP “post”. The post invokes a script on the ECP web server passing the user’s credentials to the script

as arguments. Write the script that is adapted to your speciﬁc requirements.

The script ﬁle can have any name. For this example, the script is named “login.php”. The script can be

written in any programming language that supports web development. For this example, the script is

written in PHP.

The main job of the “login.php” script is to co-ordinate the client’s browser, the back-end authentication

server, and the appliance. The “login.php” script takes the submitted credentials, sends them to an

External Captive Portal on a Third-Party Server

Compose the Login or Splash Screen Page

Extreme Campus Controller Deployment Guide for version 5.46.03 105