Deployment Guide

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesWired and wireless orchestration for campus and IoT networks

100

Table Of Contents

Table of Contents
Preface
- Conventions
  - Text Conventions
- Documentation and Training
- Send Feedback
- Help and Support
- AP Regulatory Information
About Extreme Campus Controller Deployment
- Deploying Extreme Campus Controller
- VE6120K, VE6125K Virtual Appliances
- VE6120H Virtual Appliance
- VE6120 Virtual Appliance
- VE6125 Virtual Appliance
- Supported Appliance Specifications
- Discovery and Registration
  - Discovery Process for APs and Adapters in a Centralized Site
    - Discovering Centralized Site APs and Adapters
  - Switch Discovery Process
    - Discovering Switches
    - Switch Discovery in an Availability Pair
- Sites
- Device Groups
Configuring DHCP, NPS, and DNS Services
- DHCP Service Configuration
  - Configuring DHCP on Windows Server 2012 R2
  - Configuring DHCP on a Red Hat Linux Server
    - Configuring DHCP Option 43 on a Linux Server
- Configuring the Extreme Campus Controller as an NPS Client
- NPS Service Configuration
  - Add a New Network Policy
    - Create Condition: Client IPv4 Addresses
    - Create Condition: Windows Groups
- DNS Service Configuration
  - Configuring DNS for Wireless AP Discovery
  - Configuring DNS on a Linux Server
- Configure Extreme Campus Controller for Local DHCP Management
  - Add a Physical Interface
  - Local DHCP Settings
Centralized Site with a Captive Portal
- Deployment Strategy
- Adding a Centralized Site with Device Group
- Configuring an Internal Captive Portal
- Specifying B@AC Network Topology
- Configuring a Captive Portal Network
- Working with Internal Captive Portal Engine Rules
- Editing Device Group Profile for Network and Role
- Creating Adoption Rules
Centralized Site with AAA Network
- Deployment Strategy
- Configuring a AAA Network
- Creating an Engine Rule
- Creating a Policy Role
- Applying a AAA Network and Role to the Device Group
Deploying a Mesh Network
- Deployment Strategy
- Mesh Point Network Settings
- Configure Device Groups for Mesh Point
- Advanced Configuration Profile and Mesh Device Settings
  - Profile Advanced Settings
  - Edit Mesh Device Settings
Configuring an External NAC Server for MBA and AAA Authentication
- Deployment Strategy
- Configuring the External NAC Server
- Network with Default Auth Role
  - Configuring an MBA Network
  - Configuring a AAA Network
- Network with Pass-Through External RADIUS
  - Configuring an MBA Network
  - Configuring a AAA Network
Manage RADIUS Servers for User Authentication
- RADIUS Settings
- Advanced RADIUS Settings
- Configure a Pass Through Rule
External Captive Portal on a Third-Party Server
- Firewall Friendly External Captive Portal Flow of Events
  - FF-ECP on Extreme Campus Controller
- Configure the Firewall
- Configure an External Captive Portal
- Understand Processing Performed by the ECP
  - The Redirection URL Sent from Extreme Campus Controller
    - Verifying the Signed Request
  - Compose the Login or Splash Screen Page
- Approve the Client
- Compose the Redirection Response Sending the Browser back to the Appliance
Access Control Rule Admin Portal Access
- Deployment Strategy
- Configure Access Control Group
  - Default Access Control Groups
- Configure Admin Access Policy Role
- Configure Access Control Rule
  - Default Access Control Rules
- Define Rule Precedence
Deploying Centralized Web Authentication
- Deployment Strategy
- CWA with ISE Deployment
- CWA with ExtremeControl Deployment
Deploying ExtremeCloud IQ - SE as an External Captive Portal
- Deployment Strategy
- Configuring an External Captive Portal Network
- Editing the Configuration Profile for Network and Roles
- Extreme Campus Controller Default Pass-Through Rule
- Adding Extreme Campus Controller as a Switch to ExtremeCloud IQ - Site Engine
- Editing the Unregistered Policy on ExtremeCloud IQ - Site Engine
- Editing the ExtremeCloud IQ - Site Engine Profile for Policy and Location-Based Services
Deploying an ExtremeGuest Captive Portal
- Deployment Strategy
- Configure an ExtremeGuest Server
- Configure an ExtremeGuest Captive Portal Network
- Configuration Settings on ExtremeGuest
Deploying Client Bridge
- Deployment Strategy
- AP Client Bridge
- Configure Client Bridge
Deploying an Availability Pair
- Deploying an Availability Pair
Deploying Universal APs
- Onboarding Universal APs — ExtremeCloud IQ, Extreme Campus Controller
Extreme Campus Controller Pair with ExtremeLocation and AirDefense
- Scenario Outline
- Deployment Strategy
- Configuring the Centralized Site with an AP3915 Profile
- Configuring ExtremeLocation
- Configuring AirDefense
ECP Local Authentication
- Scenario Outline
- Deployment Strategy
- Configuring External Captive Portal Network
- Editing the Device Group Profile for ECP Network
PHP External Captive Portal, Controller’s Firewall Friendly API
- net-auth.php
- login.php
- common_utilities.php
- crypt_aws_s4.php
- ffecp-config.php
Index
- A
- B
- C
- D
- E
- F
- L
- M
- N
- P
- R
- S
- T
- U
- W
- X

Extreme Campus Controller adds parameters to the redirection, for example: the user’s MAC address,

the BSSID, or AP location, and AP Ethernet MAC. All available parameters are encoded into the URL

request. The client’s browser typically follows the redirection automatically. The redirection contains the

query parameters added by Extreme Campus Controller.

1.2 - Because the ECP is located on a third-party server, the user’s request must be forwarded through

the enterprise ﬁrewall. Most companies allow requests for port 80 to pass through the ﬁrewall. Typically,

the ﬁrewall also serves as a Network Address Translation (NAT). The NAT records the state of the

connection, replaces the IP address in the request, and forwards it to the ECP.

When the ECP receives the redirected request, it typically replies with a web page. The client’s browser

sends subsequent requests to the ECP to retrieve additional content needed to render the page. If NAT

is present, and the ﬁrewall allows it, the client establishes direct connection with the ECP web server,

which serves the user experience and any necessary transactions related to the captive portal

experience (including login, credentials collection, and validation).

Extreme Campus Controller is not involved in this interaction, except to forward trac between the ECP

and the client. The interaction can be as simple or complex as necessary (represented by the box

labeled seq ECP Authentication).

1.3 - The ECP changes the client’s authentication state and role. Once the server completes the captive

portal workﬂow, the server responds to the client, instructing the client to redirect to Extreme Campus

Controller. The status of the ECP authentication (and possibly credentials needed to have Extreme

Campus Controller perform ﬁnal authentication of the registering client) are encoded within the

response message. You can display a set of terms and conditions on the ECP web page that the user

must accept before a more liberal access control role is assigned.

1.4 - The client’s browser usually follows the redirection URI automatically. Assuming the URI passes

basic validation, the ﬂow proceeds in one of two ways: If the URI contains a signature (secure hash) and

the hash is veriﬁed by Extreme Campus Controller, the appliance accepts the user as authenticated. If

the URI contains the name of an access control role deﬁned on Extreme Campus Controller, it applies

that role to all trac that the client sends subsequently.

1.5 and 1.6 - If the URI is unsigned and contains a user name and password, then Extreme Campus

Controller attempts to authenticate the user against a RADIUS server. The WLAN Service that redirects

to the ECP must have at least one RADIUS server conﬁgured for authentication or an error is reported.

(Optional) If the ECP returns the credentials of the registered client (with the expectation that the

appliance will perform ﬁnal user authentication based on those parameters), the administrator can

conﬁgure Extreme Campus Controller with the address and the shared secret of at least one RADIUS

authentication server. Instructions on how to conﬁgure a RADIUS server for a network using captive

portal authentication is documented in theExtreme Campus Controller User Guide located in the

Extreme Networks documentation portal.

The response from the RADIUS server may also contain attributes, such as maximum session duration,

the VLAN to which the client’s trac is assigned, and the name of an access control role to apply to the

trac the client sends subsequently. If the attributes in the response are valid, Extreme Campus

Controller applies them to the user session.

If no speciﬁc role is returned by the RADIUS server, then Extreme Campus Controller applies the

Authorized role that is deﬁned in the network conﬁguration.

External Captive Portal on a Third-Party Server

FF-ECP on Extreme Campus Controller

Extreme Campus Controller Deployment Guide for version 5.46.03 93