Deployment Guide

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesWired and wireless orchestration for campus and IoT networks

201

202

203

204

205

206

207

208

209

210

Table Of Contents

Table of Contents
Preface
- Conventions
  - Text Conventions
- Documentation and Training
- Send Feedback
- Help and Support
- AP Regulatory Information
About Extreme Campus Controller Deployment
- Deploying Extreme Campus Controller
- VE6120K, VE6125K Virtual Appliances
- VE6120H Virtual Appliance
- VE6120 Virtual Appliance
- VE6125 Virtual Appliance
- Supported Appliance Specifications
- Discovery and Registration
  - Discovery Process for APs and Adapters in a Centralized Site
    - Discovering Centralized Site APs and Adapters
  - Switch Discovery Process
    - Discovering Switches
    - Switch Discovery in an Availability Pair
- Sites
- Device Groups
Configuring DHCP, NPS, and DNS Services
- DHCP Service Configuration
  - Configuring DHCP on Windows Server 2012 R2
  - Configuring DHCP on a Red Hat Linux Server
    - Configuring DHCP Option 43 on a Linux Server
- Configuring the Extreme Campus Controller as an NPS Client
- NPS Service Configuration
  - Add a New Network Policy
    - Create Condition: Client IPv4 Addresses
    - Create Condition: Windows Groups
- DNS Service Configuration
  - Configuring DNS for Wireless AP Discovery
  - Configuring DNS on a Linux Server
- Configure Extreme Campus Controller for Local DHCP Management
  - Add a Physical Interface
  - Local DHCP Settings
Centralized Site with a Captive Portal
- Deployment Strategy
- Adding a Centralized Site with Device Group
- Configuring an Internal Captive Portal
- Specifying B@AC Network Topology
- Configuring a Captive Portal Network
- Working with Internal Captive Portal Engine Rules
- Editing Device Group Profile for Network and Role
- Creating Adoption Rules
Centralized Site with AAA Network
- Deployment Strategy
- Configuring a AAA Network
- Creating an Engine Rule
- Creating a Policy Role
- Applying a AAA Network and Role to the Device Group
Deploying a Mesh Network
- Deployment Strategy
- Mesh Point Network Settings
- Configure Device Groups for Mesh Point
- Advanced Configuration Profile and Mesh Device Settings
  - Profile Advanced Settings
  - Edit Mesh Device Settings
Configuring an External NAC Server for MBA and AAA Authentication
- Deployment Strategy
- Configuring the External NAC Server
- Network with Default Auth Role
  - Configuring an MBA Network
  - Configuring a AAA Network
- Network with Pass-Through External RADIUS
  - Configuring an MBA Network
  - Configuring a AAA Network
Manage RADIUS Servers for User Authentication
- RADIUS Settings
- Advanced RADIUS Settings
- Configure a Pass Through Rule
External Captive Portal on a Third-Party Server
- Firewall Friendly External Captive Portal Flow of Events
  - FF-ECP on Extreme Campus Controller
- Configure the Firewall
- Configure an External Captive Portal
- Understand Processing Performed by the ECP
  - The Redirection URL Sent from Extreme Campus Controller
    - Verifying the Signed Request
  - Compose the Login or Splash Screen Page
- Approve the Client
- Compose the Redirection Response Sending the Browser back to the Appliance
Access Control Rule Admin Portal Access
- Deployment Strategy
- Configure Access Control Group
  - Default Access Control Groups
- Configure Admin Access Policy Role
- Configure Access Control Rule
  - Default Access Control Rules
- Define Rule Precedence
Deploying Centralized Web Authentication
- Deployment Strategy
- CWA with ISE Deployment
- CWA with ExtremeControl Deployment
Deploying ExtremeCloud IQ - SE as an External Captive Portal
- Deployment Strategy
- Configuring an External Captive Portal Network
- Editing the Configuration Profile for Network and Roles
- Extreme Campus Controller Default Pass-Through Rule
- Adding Extreme Campus Controller as a Switch to ExtremeCloud IQ - Site Engine
- Editing the Unregistered Policy on ExtremeCloud IQ - Site Engine
- Editing the ExtremeCloud IQ - Site Engine Profile for Policy and Location-Based Services
Deploying an ExtremeGuest Captive Portal
- Deployment Strategy
- Configure an ExtremeGuest Server
- Configure an ExtremeGuest Captive Portal Network
- Configuration Settings on ExtremeGuest
Deploying Client Bridge
- Deployment Strategy
- AP Client Bridge
- Configure Client Bridge
Deploying an Availability Pair
- Deploying an Availability Pair
Deploying Universal APs
- Onboarding Universal APs — ExtremeCloud IQ, Extreme Campus Controller
Extreme Campus Controller Pair with ExtremeLocation and AirDefense
- Scenario Outline
- Deployment Strategy
- Configuring the Centralized Site with an AP3915 Profile
- Configuring ExtremeLocation
- Configuring AirDefense
ECP Local Authentication
- Scenario Outline
- Deployment Strategy
- Configuring External Captive Portal Network
- Editing the Device Group Profile for ECP Network
PHP External Captive Portal, Controller’s Firewall Friendly API
- net-auth.php
- login.php
- common_utilities.php
- crypt_aws_s4.php
- ffecp-config.php
Index
- A
- B
- C
- D
- E
- F
- L
- M
- N
- P
- R
- S
- T
- U
- W
- X

$host = strtolower($urlParams['host']);

if($port && (($urlParams['scheme']=='https' && $port !=

443)||($urlParams['scheme']=='http' && $port != 80))) {

$host .= ':'.$port;

}

$canonical_request = self::getCanonicalFFECPContent($q,

$host, $urlParams['path']);

$stringToSign = "AWS4-HMAC-SHA256\n{$date}\n{$scope}\n" .

hash('sha256', $canonical_request);

$signingKey = self::getSigningKey($credentAttrs[1], $credentAttrs[2],

$credentAttrs[3], $awsKeyPairs[$pKey]);

$mySign = hash_hmac('sha256', $stringToSign, $signingKey);

if (strcmp($mySign,$sign)){

return self::AWS4_ERROR_INVALID_SIGNATURE;

}

return self::AWS4_ERROR_NONE;

}

/**

* Method to verify that the query parameters contain the elements

* required in the response to the controller and the ones required to

* sign the request.

* @param array $qParams: an associative array in which the key of an

* entry is the name of a query parameter and the corresponding value

* is the value of that parameter.

* @return an AWS_ERROR code.

private static function validateQueryParms($qParams) {

if (is_null($qParams)) {

return self::AWS4_ERROR_MISSING_QUERY;

}

if ((!isset($qParams['wlan'])) or (!isset($qParams['token']))

or (!isset($qParams['dest']))) {

return self::AWS4_ERROR_MISSING_QUERY_PARAMS;

}

if (!isset($qParams['X-Amz-Signature'])) {

return self::AWS4_ERROR_MISSING_QUERY_SIGNATURE;

}

if(!isset($qParams['X-Amz-Algorithm'])) {

return self::AWS4_ERROR_MISSING_QUERY_ALGORITHM;

}

if (!isset($qParams['X-Amz-Credential'])) {

return self::AWS4_ERROR_MISSING_QUERY_CREDENTIAL;

}

if (!isset($qParams['X-Amz-Date'])) {

return self::AWS4_ERROR_MISSING_QUERY_DATE;

}

if (!isset($qParams['X-Amz-Expires'])) {

return self::AWS4_ERROR_MISSING_QUERY_EXPIRES;

}

if (!isset($qParams['X-Amz-SignedHeaders'])) {

return self::AWS4_ERROR_MISSING_QUERY_SIGNED_HEADERS;

}

// The date & expires parameters exist in the request.

// Verify that the request is not stale or replayed.

$redirectedAt = DateTime::createFromFormat('Ymd?Gis?',

$qParams['X-Amz-Date'], new DateTimeZone("UTC"));

$expires = $qParams['X-Amz-Expires'];

$now = date_create();

$delta = $now->getTimestamp() - $redirectedAt->getTimestamp();

// The following gives some latitude for clocks that are not synched

if (($delta < -10) or ($delta > $expires)) {

print("<br>");

print(date("Y-m-d H:i:sZ", $now->getTimestamp()));

print("<br>");

PHP External Captive Portal, Controller’s Firewall

Friendly API crypt_aws_s4.php

Extreme Campus Controller Deployment Guide for version 5.46.03 209