Deployment Guide

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesWired and wireless orchestration for campus and IoT networks

151

152

153

154

155

156

157

158

159

160

Table Of Contents

Table of Contents
Preface
- Conventions
  - Text Conventions
- Documentation and Training
- Send Feedback
- Help and Support
- AP Regulatory Information
About Extreme Campus Controller Deployment
- Deploying Extreme Campus Controller
- VE6120K, VE6125K Virtual Appliances
- VE6120H Virtual Appliance
- VE6120 Virtual Appliance
- VE6125 Virtual Appliance
- Supported Appliance Specifications
- Discovery and Registration
  - Discovery Process for APs and Adapters in a Centralized Site
    - Discovering Centralized Site APs and Adapters
  - Switch Discovery Process
    - Discovering Switches
    - Switch Discovery in an Availability Pair
- Sites
- Device Groups
Configuring DHCP, NPS, and DNS Services
- DHCP Service Configuration
  - Configuring DHCP on Windows Server 2012 R2
  - Configuring DHCP on a Red Hat Linux Server
    - Configuring DHCP Option 43 on a Linux Server
- Configuring the Extreme Campus Controller as an NPS Client
- NPS Service Configuration
  - Add a New Network Policy
    - Create Condition: Client IPv4 Addresses
    - Create Condition: Windows Groups
- DNS Service Configuration
  - Configuring DNS for Wireless AP Discovery
  - Configuring DNS on a Linux Server
- Configure Extreme Campus Controller for Local DHCP Management
  - Add a Physical Interface
  - Local DHCP Settings
Centralized Site with a Captive Portal
- Deployment Strategy
- Adding a Centralized Site with Device Group
- Configuring an Internal Captive Portal
- Specifying B@AC Network Topology
- Configuring a Captive Portal Network
- Working with Internal Captive Portal Engine Rules
- Editing Device Group Profile for Network and Role
- Creating Adoption Rules
Centralized Site with AAA Network
- Deployment Strategy
- Configuring a AAA Network
- Creating an Engine Rule
- Creating a Policy Role
- Applying a AAA Network and Role to the Device Group
Deploying a Mesh Network
- Deployment Strategy
- Mesh Point Network Settings
- Configure Device Groups for Mesh Point
- Advanced Configuration Profile and Mesh Device Settings
  - Profile Advanced Settings
  - Edit Mesh Device Settings
Configuring an External NAC Server for MBA and AAA Authentication
- Deployment Strategy
- Configuring the External NAC Server
- Network with Default Auth Role
  - Configuring an MBA Network
  - Configuring a AAA Network
- Network with Pass-Through External RADIUS
  - Configuring an MBA Network
  - Configuring a AAA Network
Manage RADIUS Servers for User Authentication
- RADIUS Settings
- Advanced RADIUS Settings
- Configure a Pass Through Rule
External Captive Portal on a Third-Party Server
- Firewall Friendly External Captive Portal Flow of Events
  - FF-ECP on Extreme Campus Controller
- Configure the Firewall
- Configure an External Captive Portal
- Understand Processing Performed by the ECP
  - The Redirection URL Sent from Extreme Campus Controller
    - Verifying the Signed Request
  - Compose the Login or Splash Screen Page
- Approve the Client
- Compose the Redirection Response Sending the Browser back to the Appliance
Access Control Rule Admin Portal Access
- Deployment Strategy
- Configure Access Control Group
  - Default Access Control Groups
- Configure Admin Access Policy Role
- Configure Access Control Rule
  - Default Access Control Rules
- Define Rule Precedence
Deploying Centralized Web Authentication
- Deployment Strategy
- CWA with ISE Deployment
- CWA with ExtremeControl Deployment
Deploying ExtremeCloud IQ - SE as an External Captive Portal
- Deployment Strategy
- Configuring an External Captive Portal Network
- Editing the Configuration Profile for Network and Roles
- Extreme Campus Controller Default Pass-Through Rule
- Adding Extreme Campus Controller as a Switch to ExtremeCloud IQ - Site Engine
- Editing the Unregistered Policy on ExtremeCloud IQ - Site Engine
- Editing the ExtremeCloud IQ - Site Engine Profile for Policy and Location-Based Services
Deploying an ExtremeGuest Captive Portal
- Deployment Strategy
- Configure an ExtremeGuest Server
- Configure an ExtremeGuest Captive Portal Network
- Configuration Settings on ExtremeGuest
Deploying Client Bridge
- Deployment Strategy
- AP Client Bridge
- Configure Client Bridge
Deploying an Availability Pair
- Deploying an Availability Pair
Deploying Universal APs
- Onboarding Universal APs — ExtremeCloud IQ, Extreme Campus Controller
Extreme Campus Controller Pair with ExtremeLocation and AirDefense
- Scenario Outline
- Deployment Strategy
- Configuring the Centralized Site with an AP3915 Profile
- Configuring ExtremeLocation
- Configuring AirDefense
ECP Local Authentication
- Scenario Outline
- Deployment Strategy
- Configuring External Captive Portal Network
- Editing the Device Group Profile for ECP Network
PHP External Captive Portal, Controller’s Firewall Friendly API
- net-auth.php
- login.php
- common_utilities.php
- crypt_aws_s4.php
- ffecp-config.php
Index
- A
- B
- C
- D
- E
- F
- L
- M
- N
- P
- R
- S
- T
- U
- W
- X

4. Select Yes to assign the WLAN to desired device groups or SKIP to assign them later.

Editing the Conﬁguration Proﬁle for Network and Roles

Conﬁgure a network and be aware of policy roles that you are using before modifying the device group

proﬁle.

1. On Extreme Campus Controller, go to Conﬁgure > Sites and select a site.

2. Select Device Groups tab.

3. Select your conﬁgured device group.

4. Beside the Proﬁle ﬁeld, select

to edit the conﬁguration proﬁle.

5. From the Networks tab, assign a radio to the network you created.

6. From the Roles tab, select the appropriate roles that will be applied to the end system during

connection/registration/authorization. Typically all roles are selected.

Note

Upon creating an External Captive Portal WLAN the Extreme Campus Controller

automatically creates the following internal rule:

• Unregistered role for <network name>

The following are rule examples:

Unregistered role for Guest:acfilters# show

Custom AP Filters: disable

filter 1 3 proto udp eth 800 mac any 0.0.0.0/0 port 53 in dst out src allow

filter 2 3 proto udp eth 800 mac any 0.0.0.0/0 port 67 in dst out src allow

filter 3 3 proto any eth any mac any 0.0.0.0/0 all_ports in none out src allow

filter 4 3 proto icmp eth 800 mac any 0.0.0.0/0 type-code 0x0000 0x0000 in

dst out src allow

filter 5 3 proto tcp eth 800 mac any 1.1.1.1/32 all_ports in dst out src allow

filter 6 3 app-signature group "Web Applications" hostname

"fqdn:nac_engine.mynetwork.com" proto any eth 800 mac any 0.0.0.0/0 all_ports

in dst out src allow

filter 7 3 proto tcp eth 800 mac any 0.0.0.0/0 port 80 in dst out none

redirect

filter 8 3 proto tcp eth 800 mac any 0.0.0.0/0 port 443 in dst out none

redirect

Enabling Captive Portal on a WLAN automatically builds the Unregistered role for

<Network Name> and the necessary rules for client redirection. This role is automatically

assigned to device groups that have the External Captive Portal WLAN selected to

broadcast. Unregistered role for <Network Name> is not visible within the Extreme

Campus Controller user interface. No modiﬁcation or role creation is necessary for the

functional External Captive Portal environment. Extreme Control must send back the ﬁlter-

id of Unregistered role for <Network Name> to use the automatically created role.

7. Select Save to save the Proﬁle settings.

8. Select Close to close the device group.

Extreme Campus Controller Default Pass-Through Rule

Create a RADIUS Pass-Through rule on Extreme Campus Controller. This rule designates that trac

connecting to the Guest network will send and receive all RADIUS requests from the externally deﬁned

RADIUS server, not from the Extreme Campus Controller that processes the request. This includes ﬁlter-

ids that are received as attributes. The ExtremeControl RADIUS server provides RADIUS authentication

Deploying ExtremeCloud IQ - SE as an External Captive

Portal Editing the Conﬁguration Proﬁle for Network and Roles

Extreme Campus Controller Deployment Guide for version 5.46.03 155