Installation Instructions

ManualsBrandsExtreme Networks ManualsComputers & AccessoriesCLOUD-MANAGED NETWORK ACCESS CONTROL (NAC)

Table Of Contents

A3 Installation and Usage Guide
No Registration VLAN Version
Table of Contents
Introduction
- Overview
- Major Features of A3
Deployment Modes
- Overview
- Layer 2 Hybrid Out-of-Band Deployment
- Layer 3 Across a Routed Network
- Layer 3 Hybrid Out-of-Band Deployment
- Inline Deployment
Enforcement Modes
- Firewall Enforcement
- WebAuth Enforcement
- RADIUS Enforcement
- WebAuth (ACL) Enforcement
Installation
- Equipment Requirements
  - VMware VSphere Hypervisor
  - Microsoft Windows Server 2019
- Extreme Networks Requirements
- Download the Software
- A3 Installation on VMware ESXi
  - Network Interfaces
  - Instantiation
- A3 Installation on Windows Server 2019 Hyper-V
  - Network Interfaces
  - A3 must be attached to an “External” type of virtual switch. An external virtual switch binds to the physical network adapter so that the virtual machine can access a physical network.Installation
Network Topology
- Connectivity and Security
- Enforcement Devices
- Infrastructure Devices
- Layer 3 Topology
Clustering
- Cluster Installation
- Cluster Operation
- Restarting Services
- Graceful Shutdown and Restart
- Cluster Backup and Recovery
Table of Addresses and VLANs
- Network Implementation
Initial A3 Configuration
- Setup IP Addresses
- Domain and Time Zone
- Alerting
- Change Admin Password
- A3 Server Certificate
ExtremeCloud IQ Setup
- MAC Authentication
- 802.1X Authentication
Authentication Methods
- External Authentication Sources
- Internal Authentication Sources
- Exclusive Authentication Sources
- Billing Authentication Sources
- 802.1X
- EAP and X.509 Certificates
  - EAP Methods
- Social Login Authentication Technology
A3 Configuration Flow
- Overview
- Guest Access Configuration Example
  - ExtremeCloud IQ Configuration
  - A3 Configuration
- 802.1X Configuration Example
  - ExtremeCloud IQ Configuration
  - A3 Configuration
Certificates and PKI
- Overview
  - Public and Private Keys
  - Public Key Infrastructure
- A3 Certificate Usage
Portal Modules
- Connection Profile Settings
- Type of Portal Modules
  - Source by Options
  - Templates
- Example 1: Reorder Choices
- Example 2: Two Factor Authentication
Security Events and Scan Engines
- Fingerbank
- Scan Engines
- Security Events
  - Event Triggers
  - Event Actions
- Built-in and Sample Events
Provisioning
- Mobile Device Managers
Firewall Integration
- Barracuda
  - A3 Configuration
  - Verification
- Checkpoint
  - Setting up the Checkpoint Firewall
  - A3 Configuration
- FortiGate
  - Setting up FortiGate Firewall
  - A3 Configuration
- JSON-RPC
  - A3 Configuration
- Palo Alto
Use Case 1: Guest Access with Captive Web Portal
- Roles
- Authentication Sources
- Devices
- Connection Profile
- Testing
  - SMS Test
  - Use Case 1 Complete
Use Case 2: Active Directory Authentication
- Active Directory Domain Join
- Roles
- Authentication Sources
- Devices
- Connection Profile
- Testing Active Directory
Use Case 3: Local User Authentication
- User Manager
- Local User Authentication
- Create a Local User
- Testing Local User Authentication
  - Use Case 3 Example Complete
Use Case 4: Sponsored Access
- Authentication Sources
  - Active Directory Source
  - Sponsor Source
- Connection Profile
- Testing Sponsored Access
  - Verifying Operation
  - Use Case 4 Example Complete
Use Case 5: EAP-TLS Authentication
- EAP-TLS Authentication Source
- Connection Profile
  - Corporate Profile
  - Guest Profile
- Testing EAP-TLS
  - Use Case 5 Example Complete
Use Case 6: Guest Access with External Captive Web Portal
- ExtremeCloud IQ Configuration
  - Network Policy
- A3 Configuration
  - Devices
  - Connection Profile
- Testing E-CWP Access
  - Null Authentication Test
  - Use Case 6 Complete
Use Case 7: Headless IoT Devices
- Automatic Registration Security Event
- Manual Use of Security Event
  - Use Case 7 Complete
Use Case 8: Eduroam
- Overview
- ExtremeCloud IQ Configuration
- A3 Configuration
Advanced Topics
- Best Deployment Practices
- Administrative Access
- Creating Dynamic Reports
  - Examples
    - View of the authentication log
    - View of opened security events
- Performance Enhancements
A3 Troubleshooting
- Administration
- The Auditing Tab
- Getting Started
  - Clients Don’t See Captive Web Portal
    - Basic Issues
    - VLAN Setup is Incorrect
- Authentication Issues
- Post-Authentication Issues
  - Clients Assigned to Incorrect Role
  - Authenticated Clients Can’t Access Internet or Local Sites
- Cluster Problems
Glossary
Index

Layer 3 Hybrid Out-of-Band Deployment Deployment Modes

Part Number: A3 Installation and Usage Guide Community 5

1. Define routed networks for interfaces in A3.

2. Setup up a DHCP relay on the L3 switch/router connected to A3.

3. Configure firewall rules on the access point or access switch to limit client access to

A3 and required services.

An example of a Layer 3 configuration is available in the Initial A3 Configuration chapter.

Layer 3 Hybrid Out-of-Band Deployment

Layer 3 hybrid OOB (out-of-band)deployments are a new means of connecting

authenticating clients. As opposed to earlier techniques a registration VLAN is not

required and Layer 2 connectivity between clients and A3 is likewise not required. The A3

server and access point or switches need only have Layer 3 connectivity.

This deployment mode is shown in the figure below. An Extreme Networks AP is used in

this figure, but an access switch or other intelligent network device can be used. This

deployment model may be used with VLAN, Web Auth, and RADIUS enforcement as

described in Enforcement Modes.

Access point L3 switch/router

DHCP, DNS

RADIUS

HTTP/HTTPS

Wireless client

DNS

DHCP

Management VLAN

Logical

Uses DHCP, DNS,

HTTP and HTTPS