Deployment Guide

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesWired and wireless orchestration for campus and IoT networks

100

Table Of Contents

Table of Contents
Preface
- Conventions
  - Text Conventions
- Documentation and Training
- Send Feedback
- Help and Support
- AP Regulatory Information
About Extreme Campus Controller Deployment
- Deploying Extreme Campus Controller
- VE6120K, VE6125K Virtual Appliances
- VE6120H Virtual Appliance
- VE6120 Virtual Appliance
- VE6125 Virtual Appliance
- Supported Appliance Specifications
- Discovery and Registration
  - Discovery Process for APs and Adapters in a Centralized Site
    - Discovering Centralized Site APs and Adapters
  - Switch Discovery Process
    - Discovering Switches
    - Switch Discovery in an Availability Pair
- Sites
- Device Groups
Configuring DHCP, NPS, and DNS Services
- DHCP Service Configuration
  - Configuring DHCP on Windows Server 2012 R2
  - Configuring DHCP on a Red Hat Linux Server
    - Configuring DHCP Option 43 on a Linux Server
- Configuring the Extreme Campus Controller as an NPS Client
- NPS Service Configuration
  - Add a New Network Policy
    - Create Condition: Client IPv4 Addresses
    - Create Condition: Windows Groups
- DNS Service Configuration
  - Configuring DNS for Wireless AP Discovery
  - Configuring DNS on a Linux Server
- Configure Extreme Campus Controller for Local DHCP Management
  - Add a Physical Interface
  - Local DHCP Settings
Centralized Site with a Captive Portal
- Deployment Strategy
- Adding a Centralized Site with Device Group
- Configuring an Internal Captive Portal
- Specifying B@AC Network Topology
- Configuring a Captive Portal Network
- Working with Internal Captive Portal Engine Rules
- Editing Device Group Profile for Network and Role
- Creating Adoption Rules
Centralized Site with AAA Network
- Deployment Strategy
- Configuring a AAA Network
- Creating an Engine Rule
- Creating a Policy Role
- Applying a AAA Network and Role to the Device Group
Deploying a Mesh Network
- Deployment Strategy
- Mesh Point Network Settings
- Configure Device Groups for Mesh Point
- Advanced Configuration Profile and Mesh Device Settings
  - Profile Advanced Settings
  - Edit Mesh Device Settings
Configuring an External NAC Server for MBA and AAA Authentication
- Deployment Strategy
- Configuring the External NAC Server
- Network with Default Auth Role
  - Configuring an MBA Network
  - Configuring a AAA Network
- Network with Pass-Through External RADIUS
  - Configuring an MBA Network
  - Configuring a AAA Network
Manage RADIUS Servers for User Authentication
- RADIUS Settings
- Advanced RADIUS Settings
- Configure a Pass Through Rule
External Captive Portal on a Third-Party Server
- Firewall Friendly External Captive Portal Flow of Events
  - FF-ECP on Extreme Campus Controller
- Configure the Firewall
- Configure an External Captive Portal
- Understand Processing Performed by the ECP
  - The Redirection URL Sent from Extreme Campus Controller
    - Verifying the Signed Request
  - Compose the Login or Splash Screen Page
- Approve the Client
- Compose the Redirection Response Sending the Browser back to the Appliance
Access Control Rule Admin Portal Access
- Deployment Strategy
- Configure Access Control Group
  - Default Access Control Groups
- Configure Admin Access Policy Role
- Configure Access Control Rule
  - Default Access Control Rules
- Define Rule Precedence
Deploying Centralized Web Authentication
- Deployment Strategy
- CWA with ISE Deployment
- CWA with ExtremeControl Deployment
Deploying ExtremeCloud IQ - SE as an External Captive Portal
- Deployment Strategy
- Configuring an External Captive Portal Network
- Editing the Configuration Profile for Network and Roles
- Extreme Campus Controller Default Pass-Through Rule
- Adding Extreme Campus Controller as a Switch to ExtremeCloud IQ - Site Engine
- Editing the Unregistered Policy on ExtremeCloud IQ - Site Engine
- Editing the ExtremeCloud IQ - Site Engine Profile for Policy and Location-Based Services
Deploying an ExtremeGuest Captive Portal
- Deployment Strategy
- Configure an ExtremeGuest Server
- Configure an ExtremeGuest Captive Portal Network
- Configuration Settings on ExtremeGuest
Deploying Client Bridge
- Deployment Strategy
- AP Client Bridge
- Configure Client Bridge
Deploying an Availability Pair
- Deploying an Availability Pair
Deploying Universal APs
- Onboarding Universal APs — ExtremeCloud IQ, Extreme Campus Controller
Extreme Campus Controller Pair with ExtremeLocation and AirDefense
- Scenario Outline
- Deployment Strategy
- Configuring the Centralized Site with an AP3915 Profile
- Configuring ExtremeLocation
- Configuring AirDefense
ECP Local Authentication
- Scenario Outline
- Deployment Strategy
- Configuring External Captive Portal Network
- Editing the Device Group Profile for ECP Network
PHP External Captive Portal, Controller’s Firewall Friendly API
- net-auth.php
- login.php
- common_utilities.php
- crypt_aws_s4.php
- ffecp-config.php
Index
- A
- B
- C
- D
- E
- F
- L
- M
- N
- P
- R
- S
- T
- U
- W
- X

Once the user is authenticated, it is assigned to a new role that does not redirect its HTTP trac to the

ECP. The client's assigned role is enforced and access is granted or restricted based on the rules deﬁned

in the Policy role. Because this is a function of the role that the client gets assigned to, it is up to the

Extreme Campus Controller administrator to deﬁne the authenticated role appropriately. The

administrator can conﬁgure Extreme Campus Controller to steer the client back to the initially intended

URL, or redirect the client to a speciﬁc URL.

1.7 - Assuming the client is authenticated, it has internet access to the extent allowed by the

authenticated role to which it is assigned.

Conﬁgure the Firewall

Conﬁgure the ﬁrewall to enable clients that are behind the ﬁrewall to forward trac to port 80

destination on the insecure side of the ﬁrewall. Most sites conﬁgure this behavior by default. A ﬁrewall

friendly ECP can require the ﬁrewall to allow Extreme Campus Controller to forward RADIUS requests

(UDP) to an external server (typically at port 1812).

Conﬁgure an External Captive Portal

The External Captive Portal (ECP) is, essentially, a web server that runs an application allowing clients to

change their authentication state, by providing credentials, credit card details, demographic information

about themselves or acknowledging terms and conditions. The application can be written in any

language the ECP provider chooses. The Extreme Campus Controller web applications are implemented

in PHP, but they will interact with any programming language or library on the ECP or client that can

generate valid HTTP.

If the ECP expects the controller to sign redirection responses, it is critical that the real time clocks on

Extreme Campus Controller and the ECP are synchronized. Signed redirection responses include

timestamps to protect against replay attacks. Trust the redirection responses only for a limited period of

time.

The easiest way to do this is to conﬁgure both Extreme Campus Controller and the ECP to use Network

Time Protocol (NTP) to manage the clock. The time zone needs to be set correctly, both on the ECP and

on the appliance. On Extreme Campus Controller, go to Administration > System > Network Time to

conﬁgure NTP.

The timestamps in signed redirection responses are in UTC (Coordinated Universal Time). There is no

need for Extreme Campus Controller to know the ECP’s time zone and no need for the ECP to know the

appliance’s time zone.

The signing algorithm is a slight variation on Amazon Web Service’s (AWS) algorithm for signing

requests using query string parameters. At this time AWS makes an SDK available that includes

implementations of the signing algorithms in several dierent languages (notably Java and PHP). It may

be helpful to obtain and use this SDK rather than re-implement the signing algorithm from scratch.

Understand Processing Performed by the ECP

The ECP must receive HTTP/HTTPS redirection from Extreme Campus Controller, provide means for a

client to become authorized, and ﬁnally redirect the user back to a web server on Extreme Campus

Controller.

Conﬁgure

the Firewall External Captive Portal on a Third-Party Server

94 Extreme Campus Controller Deployment Guide for version 5.46.03